Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21246
Total
1526
Critical
6466
High
6753
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-56316 | MEDIUM | 5.3 | Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable … | Jun 21, 2026 |
| CVE-2026-56299 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send … | Jun 21, 2026 |
| CVE-2026-56265 | CRITICAL | 9.8 | Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the … | Jun 21, 2026 |
| CVE-2026-56253 | HIGH | 7.5 | Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke … | Jun 21, 2026 |
| CVE-2026-56251 | MEDIUM | 6.5 | Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authenticated users to elevate privileges from admin to super_admin. … | Jun 21, 2026 |
| CVE-2026-56242 | HIGH | 7.5 | Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity … | Jun 21, 2026 |
| CVE-2026-56239 | HIGH | 7.6 | Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks … | Jun 21, 2026 |
| CVE-2026-56236 | MEDIUM | 6.1 | Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks … | Jun 21, 2026 |
| CVE-2026-56229 | MEDIUM | 6.5 | Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications … | Jun 21, 2026 |
| CVE-2025-71378 | HIGH | 8.1 | picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan … | Jun 21, 2026 |
| CVE-2025-71357 | HIGH | 8.1 | picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote … | Jun 21, 2026 |
| CVE-2025-71351 | UNKNOWN | — | picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files … | Jun 21, 2026 |
| CVE-2025-71348 | HIGH | 8.1 | picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that … | Jun 21, 2026 |
| CVE-2026-56355 | LOW | 3.7 | GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. | Jun 20, 2026 |
| CVE-2026-56347 | MEDIUM | 6.1 | AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, … | Jun 20, 2026 |
| CVE-2026-56346 | MEDIUM | 6.5 | AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit … | Jun 20, 2026 |
| CVE-2026-56345 | HIGH | 8.1 | AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. … | Jun 20, 2026 |
| CVE-2026-56342 | MEDIUM | 6.8 | AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which … | Jun 20, 2026 |
| CVE-2026-56341 | HIGH | 7.5 | AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated … | Jun 20, 2026 |
| CVE-2026-56340 | HIGH | 8.8 | vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, … | Jun 20, 2026 |
| CVE-2025-71379 | MEDIUM | 4.3 | vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool … | Jun 20, 2026 |
| CVE-2026-5366 | CRITICAL | 9.9 | Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which … | Jun 20, 2026 |
| CVE-2026-56332 | MEDIUM | 4.7 | Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter … | Jun 20, 2026 |
| CVE-2026-56330 | LOW | 3.5 | Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft … | Jun 20, 2026 |
| CVE-2026-56325 | LOW | 3.1 | Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to … | Jun 20, 2026 |