Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20528
Total
1468
Critical
6215
High
6518
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-13763 | CRITICAL | 9.8 | Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body … | Jun 29, 2026 |
| CVE-2026-13762 | CRITICAL | 9.8 | Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via … | Jun 29, 2026 |
| CVE-2026-13593 | MEDIUM | 6.5 | CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when … | Jun 29, 2026 |
| CVE-2026-13008 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-57700. Reason: This candidate is a reservation duplicate of CVE-2026-57700. Notes: All CVE … | Jun 29, 2026 |
| CVE-2026-58000 | HIGH | 8.8 | luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a … | Jun 29, 2026 |
| CVE-2026-57999 | HIGH | 8.8 | luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because … | Jun 29, 2026 |
| CVE-2026-53428 | UNKNOWN | — | Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines … | Jun 29, 2026 |
| CVE-2026-53427 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax … | Jun 29, 2026 |
| CVE-2026-13757 | MEDIUM | 6.2 | A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit … | Jun 29, 2026 |
| CVE-2026-57960 | MEDIUM | 6.5 | Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal … | Jun 29, 2026 |
| CVE-2026-57959 | MEDIUM | 5.9 | Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo … | Jun 29, 2026 |
| CVE-2026-57958 | MEDIUM | 6.1 | Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth … | Jun 29, 2026 |
| CVE-2026-57957 | MEDIUM | 4.7 | Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based … | Jun 29, 2026 |
| CVE-2026-57956 | MEDIUM | 6.4 | SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, … | Jun 29, 2026 |
| CVE-2026-57955 | HIGH | 8.5 | SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID … | Jun 29, 2026 |
| CVE-2026-57954 | MEDIUM | 4.3 | Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden … | Jun 29, 2026 |
| CVE-2026-57953 | MEDIUM | 5.4 | Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under … | Jun 29, 2026 |
| CVE-2026-57952 | MEDIUM | 5.3 | Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in … | Jun 29, 2026 |
| CVE-2026-57951 | MEDIUM | 6.5 | Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators … | Jun 29, 2026 |
| CVE-2026-57950 | HIGH | 8.1 | ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access … | Jun 29, 2026 |
| CVE-2026-57949 | MEDIUM | 6.5 | ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read … | Jun 29, 2026 |
| CVE-2026-57948 | MEDIUM | 6.8 | Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure … | Jun 29, 2026 |
| CVE-2026-57947 | HIGH | 8.5 | Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing … | Jun 29, 2026 |
| CVE-2026-57946 | LOW | 3.7 | Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist … | Jun 29, 2026 |
| CVE-2026-57945 | MEDIUM | 4.3 | PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary … | Jun 29, 2026 |