Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21880
Total
1559
Critical
6647
High
6994
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-49337 | MEDIUM | 4.3 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) … | Jun 19, 2026 |
| CVE-2026-49295 | HIGH | 7.1 | libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write … | Jun 19, 2026 |
| CVE-2026-48794 | UNKNOWN | — | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through … | Jun 19, 2026 |
| CVE-2026-48584 | CRITICAL | 9.9 | Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-48582 | CRITICAL | 9.6 | Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-48129 | MEDIUM | 6.5 | Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the … | Jun 19, 2026 |
| CVE-2026-47645 | HIGH | 8.8 | Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-47203 | UNKNOWN | — | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through … | Jun 19, 2026 |
| CVE-2026-45480 | CRITICAL | 10.0 | Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. | Jun 19, 2026 |
| CVE-2026-42895 | MEDIUM | 6.5 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | Jun 19, 2026 |
| CVE-2026-32208 | HIGH | 8.8 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network. | Jun 19, 2026 |
| CVE-2026-49345 | UNKNOWN | — | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists … | Jun 19, 2026 |
| CVE-2026-49344 | UNKNOWN | — | Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON … | Jun 19, 2026 |
| CVE-2026-49342 | MEDIUM | 5.3 | YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the … | Jun 19, 2026 |
| CVE-2026-48787 | UNKNOWN | — | gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit … | Jun 19, 2026 |
| CVE-2026-48774 | HIGH | 7.5 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented … | Jun 19, 2026 |
| CVE-2026-48773 | CRITICAL | 9.8 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in … | Jun 19, 2026 |
| CVE-2026-48772 | CRITICAL | 10.0 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY … | Jun 19, 2026 |
| CVE-2026-48715 | UNKNOWN | — | radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the `radvdump` utility shipped with radvd contains a stack buffer overflow in the … | Jun 19, 2026 |
| CVE-2026-48089 | UNKNOWN | — | DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any … | Jun 19, 2026 |
| CVE-2026-9375 | HIGH | 7.5 | urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three … | Jun 19, 2026 |
| CVE-2026-49340 | HIGH | 8.1 | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic … | Jun 19, 2026 |
| CVE-2026-49339 | HIGH | 7.1 | gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. … | Jun 19, 2026 |
| CVE-2026-49338 | HIGH | 7.1 | gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no … | Jun 19, 2026 |
| CVE-2026-49336 | UNKNOWN | — | @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect … | Jun 19, 2026 |