Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21960
Total
1564
Critical
6679
High
7025
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-44784 | MEDIUM | 6.5 | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are … | Jun 12, 2026 |
| CVE-2026-44783 | MEDIUM | 5.4 | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how … | Jun 12, 2026 |
| CVE-2026-44782 | MEDIUM | 4.3 | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as … | Jun 12, 2026 |
| CVE-2026-44780 | MEDIUM | 4.3 | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] … | Jun 12, 2026 |
| CVE-2026-44779 | MEDIUM | 4.3 | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose … | Jun 12, 2026 |
| CVE-2026-42853 | MEDIUM | 6.5 | ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the … | Jun 12, 2026 |
| CVE-2026-24618 | MEDIUM | 4.3 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data. This issue affects Hash Elements: … | Jun 12, 2026 |
| CVE-2026-12130 | LOW | 3.5 | A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component … | Jun 12, 2026 |
| CVE-2026-12129 | LOW | 3.5 | A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/add_tod of the … | Jun 12, 2026 |
| CVE-2026-54361 | UNKNOWN | — | MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that … | Jun 12, 2026 |
| CVE-2026-54360 | UNKNOWN | — | A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id … | Jun 12, 2026 |
| CVE-2026-54359 | UNKNOWN | — | MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or … | Jun 12, 2026 |
| CVE-2026-54358 | UNKNOWN | — | An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. … | Jun 12, 2026 |
| CVE-2026-54357 | UNKNOWN | — | An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same … | Jun 12, 2026 |
| CVE-2026-54055 | MEDIUM | 5.0 | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a … | Jun 12, 2026 |
| CVE-2026-50552 | MEDIUM | 6.3 | Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation … | Jun 12, 2026 |
| CVE-2026-50287 | UNKNOWN | — | AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or … | Jun 12, 2026 |
| CVE-2026-47260 | HIGH | 7.7 | Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + … | Jun 12, 2026 |
| CVE-2026-43872 | UNKNOWN | — | Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue. | Jun 12, 2026 |
| CVE-2026-42890 | UNKNOWN | — | Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing … | Jun 12, 2026 |
| CVE-2026-42851 | HIGH | 7.8 | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote … | Jun 12, 2026 |
| CVE-2026-42850 | UNKNOWN | — | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A … | Jun 12, 2026 |
| CVE-2026-42604 | UNKNOWN | — | Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the … | Jun 12, 2026 |
| CVE-2026-53726 | UNKNOWN | — | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a … | Jun 12, 2026 |
| CVE-2026-53725 | UNKNOWN | — | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, … | Jun 12, 2026 |