Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21246
Total
1526
Critical
6466
High
6753
Medium
CVE ID Severity Score Description Published
CVE-2025-15619 LOW 3.5 HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario. Jun 23, 2026
CVE-2026-56815 HIGH 7.4 pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor. Jun 23, 2026
CVE-2026-35019 HIGH 8.1 NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded … Jun 23, 2026
CVE-2026-35018 HIGH 8.8 NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root … Jun 23, 2026
CVE-2026-28496 UNKNOWN FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering … Jun 23, 2026
CVE-2026-27604 UNKNOWN FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API … Jun 23, 2026
CVE-2026-12969 MEDIUM 5.3 An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that … Jun 23, 2026
CVE-2026-11772 UNKNOWN DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary … Jun 23, 2026
CVE-2026-10609 MEDIUM 6.8 A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that … Jun 23, 2026
CVE-2026-56784 HIGH 8.1 OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms … Jun 23, 2026
CVE-2026-56762 MEDIUM 5.3 Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control … Jun 23, 2026
CVE-2026-56701 MEDIUM 6.5 Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application … Jun 23, 2026
CVE-2026-56379 NONE ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can … Jun 23, 2026
CVE-2026-56376 LOW 3.7 ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale … Jun 23, 2026
CVE-2026-56371 NONE ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is … Jun 23, 2026
CVE-2026-56322 HIGH 7.5 Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to … Jun 23, 2026
CVE-2026-56315 CRITICAL 9.8 picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide … Jun 23, 2026
CVE-2026-56301 MEDIUM 5.5 Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace … Jun 23, 2026
CVE-2026-56275 UNKNOWN Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses … Jun 23, 2026
CVE-2026-56274 CRITICAL 9.9 Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in … Jun 23, 2026
CVE-2026-56263 MEDIUM 6.1 Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An … Jun 23, 2026
CVE-2026-56258 HIGH 8.1 Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended … Jun 23, 2026
CVE-2026-56248 HIGH 7.5 Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST … Jun 23, 2026
CVE-2026-56243 HIGH 8.1 Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. … Jun 23, 2026
CVE-2026-56234 MEDIUM 5.3 Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The … Jun 23, 2026