Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20648
Total
1489
Critical
6270
High
6549
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55069 | HIGH | 8.7 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. … | Jun 26, 2026 |
| CVE-2026-53577 | MEDIUM | 6.5 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any … | Jun 26, 2026 |
| CVE-2026-53576 | CRITICAL | 10.0 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path … | Jun 26, 2026 |
| CVE-2026-50767 | UNKNOWN | — | A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with … | Jun 26, 2026 |
| CVE-2026-50766 | UNKNOWN | — | A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with … | Jun 26, 2026 |
| CVE-2026-50765 | UNKNOWN | — | Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator … | Jun 26, 2026 |
| CVE-2026-49984 | HIGH | 7.7 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts … | Jun 26, 2026 |
| CVE-2026-49869 | CRITICAL | 10.0 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from … | Jun 26, 2026 |
| CVE-2026-45807 | HIGH | 7.7 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass … | Jun 26, 2026 |
| CVE-2026-38571 | UNKNOWN | — | Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda … | Jun 26, 2026 |
| CVE-2026-36908 | UNKNOWN | — | A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | Jun 26, 2026 |
| CVE-2026-36907 | UNKNOWN | — | A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | Jun 26, 2026 |
| CVE-2026-36478 | UNKNOWN | — | An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components | Jun 26, 2026 |
| CVE-2026-54353 | HIGH | 8.5 | Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch … | Jun 26, 2026 |
| CVE-2026-54352 | CRITICAL | 9.6 | Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip@2.0.1 into a temp directory, … | Jun 26, 2026 |
| CVE-2026-54351 | HIGH | 8.2 | Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body … | Jun 26, 2026 |
| CVE-2026-54350 | CRITICAL | 10.0 | Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, … | Jun 26, 2026 |
| CVE-2026-52885 | UNKNOWN | — | Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user … | Jun 26, 2026 |
| CVE-2026-52884 | HIGH | 7.8 | Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() … | Jun 26, 2026 |
| CVE-2026-50137 | UNKNOWN | — | Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource … | Jun 26, 2026 |
| CVE-2026-50136 | HIGH | 7.4 | Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored … | Jun 26, 2026 |
| CVE-2026-50132 | HIGH | 7.3 | Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it … | Jun 26, 2026 |
| CVE-2026-48800 | HIGH | 7.8 | Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) … | Jun 26, 2026 |
| CVE-2026-48778 | HIGH | 7.8 | Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored … | Jun 26, 2026 |
| CVE-2026-48770 | MEDIUM | 5.0 | Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed … | Jun 26, 2026 |