Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

20528
Total
1468
Critical
6215
High
6518
Medium
CVE ID Severity Score Description Published
CVE-2026-13763 CRITICAL 9.8 Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body … Jun 29, 2026
CVE-2026-13762 CRITICAL 9.8 Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via … Jun 29, 2026
CVE-2026-13593 MEDIUM 6.5 CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when … Jun 29, 2026
CVE-2026-13008 UNKNOWN Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-57700. Reason: This candidate is a reservation duplicate of CVE-2026-57700. Notes: All CVE … Jun 29, 2026
CVE-2026-58000 HIGH 8.8 luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a … Jun 29, 2026
CVE-2026-57999 HIGH 8.8 luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because … Jun 29, 2026
CVE-2026-53428 UNKNOWN Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines … Jun 29, 2026
CVE-2026-53427 UNKNOWN Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax … Jun 29, 2026
CVE-2026-13757 MEDIUM 6.2 A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit … Jun 29, 2026
CVE-2026-57960 MEDIUM 6.5 Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal … Jun 29, 2026
CVE-2026-57959 MEDIUM 5.9 Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo … Jun 29, 2026
CVE-2026-57958 MEDIUM 6.1 Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth … Jun 29, 2026
CVE-2026-57957 MEDIUM 4.7 Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based … Jun 29, 2026
CVE-2026-57956 MEDIUM 6.4 SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, … Jun 29, 2026
CVE-2026-57955 HIGH 8.5 SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID … Jun 29, 2026
CVE-2026-57954 MEDIUM 4.3 Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden … Jun 29, 2026
CVE-2026-57953 MEDIUM 5.4 Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under … Jun 29, 2026
CVE-2026-57952 MEDIUM 5.3 Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in … Jun 29, 2026
CVE-2026-57951 MEDIUM 6.5 Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators … Jun 29, 2026
CVE-2026-57950 HIGH 8.1 ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access … Jun 29, 2026
CVE-2026-57949 MEDIUM 6.5 ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read … Jun 29, 2026
CVE-2026-57948 MEDIUM 6.8 Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure … Jun 29, 2026
CVE-2026-57947 HIGH 8.5 Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing … Jun 29, 2026
CVE-2026-57946 LOW 3.7 Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist … Jun 29, 2026
CVE-2026-57945 MEDIUM 4.3 PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary … Jun 29, 2026