Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21246
Total
1526
Critical
6466
High
6753
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42895 | MEDIUM | 6.5 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | Jun 19, 2026 |
| CVE-2026-32208 | HIGH | 8.8 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network. | Jun 19, 2026 |
| CVE-2026-49345 | UNKNOWN | — | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists … | Jun 19, 2026 |
| CVE-2026-49344 | UNKNOWN | — | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON … | Jun 19, 2026 |
| CVE-2026-49342 | MEDIUM | 5.3 | YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the … | Jun 19, 2026 |
| CVE-2026-48787 | UNKNOWN | — | gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit … | Jun 19, 2026 |
| CVE-2026-48774 | HIGH | 7.5 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented … | Jun 19, 2026 |
| CVE-2026-48773 | CRITICAL | 9.8 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in … | Jun 19, 2026 |
| CVE-2026-48772 | CRITICAL | 10.0 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY … | Jun 19, 2026 |
| CVE-2026-48715 | UNKNOWN | — | radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the `radvdump` utility shipped with radvd contains a stack buffer overflow in the … | Jun 19, 2026 |
| CVE-2026-48089 | UNKNOWN | — | DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any … | Jun 19, 2026 |
| CVE-2026-9375 | HIGH | 7.5 | urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three … | Jun 19, 2026 |
| CVE-2026-49340 | HIGH | 8.1 | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic … | Jun 19, 2026 |
| CVE-2026-49339 | HIGH | 7.1 | gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. … | Jun 19, 2026 |
| CVE-2026-49338 | HIGH | 7.1 | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no … | Jun 19, 2026 |
| CVE-2026-49336 | UNKNOWN | — | @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect … | Jun 19, 2026 |
| CVE-2026-49293 | HIGH | 7.5 | js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / … | Jun 19, 2026 |
| CVE-2026-49291 | HIGH | 8.1 | mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at `/mcp` requires only OAuth `read` scope … | Jun 19, 2026 |
| CVE-2026-49288 | MEDIUM | 4.3 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and … | Jun 19, 2026 |
| CVE-2026-27878 | MEDIUM | 6.5 | A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting … | Jun 19, 2026 |
| CVE-2026-12726 | MEDIUM | 6.3 | A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload … | Jun 19, 2026 |
| CVE-2026-12238 | MEDIUM | 5.3 | The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. … | Jun 19, 2026 |
| CVE-2023-54357 | HIGH | 7.5 | Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer … | Jun 19, 2026 |
| CVE-2026-49359 | MEDIUM | 6.5 | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option … | Jun 19, 2026 |
| CVE-2026-49290 | UNKNOWN | — | Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive … | Jun 19, 2026 |