Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22374
Total
1599
Critical
6838
High
7169
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41695 | HIGH | 7.5 | Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path … | Jun 10, 2026 |
| CVE-2026-41694 | LOW | 3.7 | Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able … | Jun 10, 2026 |
| CVE-2026-41008 | MEDIUM | 6.1 | Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri … | Jun 10, 2026 |
| CVE-2026-41003 | HIGH | 7.6 | An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: … | Jun 10, 2026 |
| CVE-2026-40993 | HIGH | 7.3 | An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing … | Jun 10, 2026 |
| CVE-2026-40991 | MEDIUM | 5.9 | When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting … | Jun 10, 2026 |
| CVE-2026-40988 | HIGH | 7.5 | An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of … | Jun 10, 2026 |
| CVE-2026-9754 | MEDIUM | 6.5 | An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command | Jun 09, 2026 |
| CVE-2026-9753 | HIGH | 8.1 | The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the … | Jun 09, 2026 |
| CVE-2026-9752 | MEDIUM | 6.5 | An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing … | Jun 09, 2026 |
| CVE-2026-9751 | MEDIUM | 5.5 | The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text. | Jun 09, 2026 |
| CVE-2026-9750 | MEDIUM | 6.5 | An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query … | Jun 09, 2026 |
| CVE-2026-9749 | MEDIUM | 6.5 | This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single … | Jun 09, 2026 |
| CVE-2026-9748 | MEDIUM | 6.5 | The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general … | Jun 09, 2026 |
| CVE-2026-9747 | MEDIUM | 6.5 | Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server. | Jun 09, 2026 |
| CVE-2026-9746 | MEDIUM | 6.5 | When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges … | Jun 09, 2026 |
| CVE-2026-9743 | MEDIUM | 6.5 | In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on … | Jun 09, 2026 |
| CVE-2026-9742 | HIGH | 7.5 | When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. … | Jun 09, 2026 |
| CVE-2026-9741 | MEDIUM | 6.5 | A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values … | Jun 09, 2026 |
| CVE-2026-9740 | HIGH | 7.5 | A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON … | Jun 09, 2026 |
| CVE-2026-9735 | MEDIUM | 5.5 | MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication … | Jun 09, 2026 |
| CVE-2026-46433 | MEDIUM | 6.5 | lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling … | Jun 09, 2026 |
| CVE-2026-46374 | HIGH | 7.5 | SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users … | Jun 09, 2026 |
| CVE-2026-46373 | HIGH | 7.5 | SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users … | Jun 09, 2026 |
| CVE-2026-44963 | UNKNOWN | — | A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. | Jun 09, 2026 |