Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21195
Total
1522
Critical
6451
High
6729
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-56815 | HIGH | 7.4 | pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor. | Jun 23, 2026 |
| CVE-2026-35019 | HIGH | 8.1 | NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded … | Jun 23, 2026 |
| CVE-2026-35018 | HIGH | 8.8 | NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root … | Jun 23, 2026 |
| CVE-2026-28496 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering … | Jun 23, 2026 |
| CVE-2026-27604 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API … | Jun 23, 2026 |
| CVE-2026-12969 | MEDIUM | 5.3 | An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that … | Jun 23, 2026 |
| CVE-2026-11772 | UNKNOWN | — | DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary … | Jun 23, 2026 |
| CVE-2026-10609 | MEDIUM | 6.8 | A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that … | Jun 23, 2026 |
| CVE-2026-56784 | HIGH | 8.1 | OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms … | Jun 23, 2026 |
| CVE-2026-56762 | MEDIUM | 5.3 | Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control … | Jun 23, 2026 |
| CVE-2026-56701 | MEDIUM | 6.5 | Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application … | Jun 23, 2026 |
| CVE-2026-56379 | NONE | — | ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can … | Jun 23, 2026 |
| CVE-2026-56376 | LOW | 3.7 | ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale … | Jun 23, 2026 |
| CVE-2026-56371 | NONE | — | ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is … | Jun 23, 2026 |
| CVE-2026-56322 | HIGH | 7.5 | Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to … | Jun 23, 2026 |
| CVE-2026-56315 | CRITICAL | 9.8 | picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide … | Jun 23, 2026 |
| CVE-2026-56301 | MEDIUM | 5.5 | Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace … | Jun 23, 2026 |
| CVE-2026-56275 | UNKNOWN | — | Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses … | Jun 23, 2026 |
| CVE-2026-56274 | CRITICAL | 9.9 | Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in … | Jun 23, 2026 |
| CVE-2026-56263 | MEDIUM | 6.1 | Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An … | Jun 23, 2026 |
| CVE-2026-56258 | HIGH | 8.1 | Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended … | Jun 23, 2026 |
| CVE-2026-56248 | HIGH | 7.5 | Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST … | Jun 23, 2026 |
| CVE-2026-56243 | HIGH | 8.1 | Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. … | Jun 23, 2026 |
| CVE-2026-56234 | MEDIUM | 5.3 | Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The … | Jun 23, 2026 |
| CVE-2026-56225 | HIGH | 8.3 | Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a … | Jun 23, 2026 |