Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21839
Total
1559
Critical
6635
High
6967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-56408 | MEDIUM | 6.9 | libexpat before 2.8.2 has an integer overflow in copyString. | Jun 21, 2026 |
| CVE-2026-56407 | MEDIUM | 6.9 | libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen. | Jun 21, 2026 |
| CVE-2026-56406 | MEDIUM | 6.9 | libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse. | Jun 21, 2026 |
| CVE-2026-56405 | MEDIUM | 6.9 | libexpat before 2.8.2 has an integer overflow in getAttributeId. | Jun 21, 2026 |
| CVE-2026-56404 | MEDIUM | 6.9 | libexpat before 2.8.2 has an integer overflow in addBinding. | Jun 21, 2026 |
| CVE-2026-56403 | MEDIUM | 6.9 | libexpat before 2.8.2 has an integer overflow in storeAtts. | Jun 21, 2026 |
| CVE-2026-56397 | CRITICAL | 9.6 | SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. … | Jun 21, 2026 |
| CVE-2026-56396 | HIGH | 8.8 | phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can … | Jun 21, 2026 |
| CVE-2026-56395 | CRITICAL | 9.6 | SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. … | Jun 21, 2026 |
| CVE-2026-56394 | MEDIUM | 6.5 | Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. … | Jun 21, 2026 |
| CVE-2026-56393 | MEDIUM | 4.8 | Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option … | Jun 21, 2026 |
| CVE-2026-56385 | MEDIUM | 4.3 | Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce … | Jun 21, 2026 |
| CVE-2026-56384 | MEDIUM | 4.3 | Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call … | Jun 21, 2026 |
| CVE-2026-56383 | MEDIUM | 4.8 | Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize … | Jun 21, 2026 |
| CVE-2026-56382 | HIGH | 7.2 | Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig … | Jun 21, 2026 |
| CVE-2026-56381 | MEDIUM | 4.8 | Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML … | Jun 21, 2026 |
| CVE-2026-56378 | LOW | 3.7 | ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a … | Jun 21, 2026 |
| CVE-2026-56367 | LOW | 3.7 | ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) that causes a … | Jun 21, 2026 |
| CVE-2026-56316 | MEDIUM | 5.3 | Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable … | Jun 21, 2026 |
| CVE-2026-56299 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send … | Jun 21, 2026 |
| CVE-2026-56265 | CRITICAL | 9.8 | Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the … | Jun 21, 2026 |
| CVE-2026-56253 | HIGH | 7.5 | Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke … | Jun 21, 2026 |
| CVE-2026-56251 | MEDIUM | 6.5 | Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authenticated users to elevate privileges from admin to super_admin. … | Jun 21, 2026 |
| CVE-2026-56242 | HIGH | 7.5 | Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity … | Jun 21, 2026 |
| CVE-2026-56239 | HIGH | 7.6 | Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks … | Jun 21, 2026 |