Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23329
Total
1657
Critical
7330
High
7410
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55432 | MEDIUM | 5.4 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a … | Jul 08, 2026 |
| CVE-2026-55431 | HIGH | 7.7 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs … | Jul 08, 2026 |
| CVE-2026-55430 | MEDIUM | 5.8 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target … | Jul 08, 2026 |
| CVE-2026-55429 | HIGH | 8.7 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on … | Jul 08, 2026 |
| CVE-2026-55428 | HIGH | 8.2 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's … | Jul 08, 2026 |
| CVE-2026-55427 | HIGH | 8.3 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, … | Jul 08, 2026 |
| CVE-2026-55079 | MEDIUM | 4.9 | Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in … | Jul 08, 2026 |
| CVE-2026-59705 | CRITICAL | 9.8 | mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered … | Jul 07, 2026 |
| CVE-2026-59704 | HIGH | 7.1 | Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can … | Jul 07, 2026 |
| CVE-2026-55078 | MEDIUM | 6.5 | Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` … | Jul 07, 2026 |
| CVE-2026-55077 | HIGH | 7.2 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` … | Jul 07, 2026 |
| CVE-2026-55076 | HIGH | 7.4 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a … | Jul 07, 2026 |
| CVE-2026-51937 | HIGH | 7.5 | An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component | Jul 07, 2026 |
| CVE-2026-50811 | MEDIUM | 6.5 | An out-of-bounds read vulnerability exists in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates | Jul 07, 2026 |
| CVE-2026-50810 | UNKNOWN | — | A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service | Jul 07, 2026 |
| CVE-2026-37271 | UNKNOWN | — | Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. … | Jul 07, 2026 |
| CVE-2026-37270 | UNKNOWN | — | Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware. | Jul 07, 2026 |
| CVE-2026-36163 | UNKNOWN | — | An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's … | Jul 07, 2026 |
| CVE-2026-36162 | MEDIUM | 5.4 | An authenticated stored cross-site scripting (XSS) vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via … | Jul 07, 2026 |
| CVE-2026-14895 | HIGH | 7.5 | String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. … | Jul 07, 2026 |
| CVE-2026-14740 | CRITICAL | 9.1 | DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes … | Jul 07, 2026 |
| CVE-2026-14739 | CRITICAL | 9.8 | DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did … | Jul 07, 2026 |
| CVE-2026-14380 | UNKNOWN | — | DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, … | Jul 07, 2026 |
| CVE-2026-59706 | CRITICAL | 9.3 | mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can … | Jul 07, 2026 |
| CVE-2026-59153 | UNKNOWN | — | Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages … | Jul 07, 2026 |