Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21839
Total
1559
Critical
6635
High
6967
Medium
CVE ID Severity Score Description Published
CVE-2026-56236 MEDIUM 6.1 Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks … Jun 21, 2026
CVE-2026-56229 MEDIUM 6.5 Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications … Jun 21, 2026
CVE-2025-71378 HIGH 8.1 picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan … Jun 21, 2026
CVE-2025-71357 HIGH 8.1 picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote … Jun 21, 2026
CVE-2025-71351 UNKNOWN picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files … Jun 21, 2026
CVE-2025-71348 HIGH 8.1 picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that … Jun 21, 2026
CVE-2026-56355 LOW 3.7 GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. Jun 20, 2026
CVE-2026-56347 MEDIUM 6.1 AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, … Jun 20, 2026
CVE-2026-56346 MEDIUM 6.5 AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit … Jun 20, 2026
CVE-2026-56345 HIGH 8.1 AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. … Jun 20, 2026
CVE-2026-56342 MEDIUM 6.8 AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which … Jun 20, 2026
CVE-2026-56341 HIGH 7.5 AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated … Jun 20, 2026
CVE-2026-56340 HIGH 8.8 vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, … Jun 20, 2026
CVE-2025-71379 MEDIUM 4.3 vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool … Jun 20, 2026
CVE-2026-5366 CRITICAL 9.9 Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which … Jun 20, 2026
CVE-2026-56332 MEDIUM 4.7 Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter … Jun 20, 2026
CVE-2026-56330 LOW 3.5 Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft … Jun 20, 2026
CVE-2026-56325 LOW 3.1 Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to … Jun 20, 2026
CVE-2026-56319 MEDIUM 4.3 Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through … Jun 20, 2026
CVE-2026-56317 UNKNOWN Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without … Jun 20, 2026
CVE-2026-56307 MEDIUM 4.3 Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops … Jun 20, 2026
CVE-2026-56304 MEDIUM 6.5 picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this … Jun 20, 2026
CVE-2026-56295 MEDIUM 6.3 Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission … Jun 20, 2026
CVE-2026-56294 MEDIUM 4.8 capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic … Jun 20, 2026
CVE-2026-56282 MEDIUM 5.3 Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN … Jun 20, 2026