Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21246
Total
1526
Critical
6466
High
6753
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-9843 | HIGH | 8.1 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in … | Jun 20, 2026 |
| CVE-2026-9265 | UNKNOWN | — | Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap … | Jun 20, 2026 |
| CVE-2026-56216 | HIGH | 8.8 | Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty … | Jun 20, 2026 |
| CVE-2026-56215 | HIGH | 8.3 | Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers … | Jun 20, 2026 |
| CVE-2026-56214 | HIGH | 7.5 | Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose … | Jun 20, 2026 |
| CVE-2026-56213 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows … | Jun 20, 2026 |
| CVE-2026-56212 | LOW | 3.8 | Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for … | Jun 20, 2026 |
| CVE-2026-11551 | CRITICAL | 9.8 | The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to … | Jun 20, 2026 |
| CVE-2026-56082 | HIGH | 7.5 | Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role … | Jun 19, 2026 |
| CVE-2026-56081 | CRITICAL | 9.1 | Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that … | Jun 19, 2026 |
| CVE-2026-56080 | MEDIUM | 4.9 | Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to … | Jun 19, 2026 |
| CVE-2026-56079 | MEDIUM | 6.5 | Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and … | Jun 19, 2026 |
| CVE-2026-56073 | CRITICAL | 9.4 | Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept … | Jun 19, 2026 |
| CVE-2026-50559 | HIGH | 7.5 | Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies … | Jun 19, 2026 |
| CVE-2026-50519 | MEDIUM | 6.5 | Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network. | Jun 19, 2026 |
| CVE-2026-49346 | HIGH | 7.1 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit … | Jun 19, 2026 |
| CVE-2026-49337 | MEDIUM | 4.3 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) … | Jun 19, 2026 |
| CVE-2026-49295 | HIGH | 7.1 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write … | Jun 19, 2026 |
| CVE-2026-48794 | UNKNOWN | — | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through … | Jun 19, 2026 |
| CVE-2026-48584 | CRITICAL | 9.9 | Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-48582 | CRITICAL | 9.6 | Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-48129 | MEDIUM | 6.5 | Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the … | Jun 19, 2026 |
| CVE-2026-47645 | HIGH | 8.8 | Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-47203 | UNKNOWN | — | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through … | Jun 19, 2026 |
| CVE-2026-45480 | CRITICAL | 10.0 | Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. | Jun 19, 2026 |