Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

23329
Total
1657
Critical
7330
High
7410
Medium
CVE ID Severity Score Description Published
CVE-2026-55432 MEDIUM 5.4 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a … Jul 08, 2026
CVE-2026-55431 HIGH 7.7 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs … Jul 08, 2026
CVE-2026-55430 MEDIUM 5.8 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target … Jul 08, 2026
CVE-2026-55429 HIGH 8.7 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on … Jul 08, 2026
CVE-2026-55428 HIGH 8.2 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's … Jul 08, 2026
CVE-2026-55427 HIGH 8.3 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, … Jul 08, 2026
CVE-2026-55079 MEDIUM 4.9 Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in … Jul 08, 2026
CVE-2026-59705 CRITICAL 9.8 mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered … Jul 07, 2026
CVE-2026-59704 HIGH 7.1 Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can … Jul 07, 2026
CVE-2026-55078 MEDIUM 6.5 Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` … Jul 07, 2026
CVE-2026-55077 HIGH 7.2 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` … Jul 07, 2026
CVE-2026-55076 HIGH 7.4 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a … Jul 07, 2026
CVE-2026-51937 HIGH 7.5 An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component Jul 07, 2026
CVE-2026-50811 MEDIUM 6.5 An out-of-bounds read vulnerability exists in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates Jul 07, 2026
CVE-2026-50810 UNKNOWN A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service Jul 07, 2026
CVE-2026-37271 UNKNOWN Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. … Jul 07, 2026
CVE-2026-37270 UNKNOWN Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware. Jul 07, 2026
CVE-2026-36163 UNKNOWN An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's … Jul 07, 2026
CVE-2026-36162 MEDIUM 5.4 An authenticated stored cross-site scripting (XSS) vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via … Jul 07, 2026
CVE-2026-14895 HIGH 7.5 String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. … Jul 07, 2026
CVE-2026-14740 CRITICAL 9.1 DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes … Jul 07, 2026
CVE-2026-14739 CRITICAL 9.8 DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did … Jul 07, 2026
CVE-2026-14380 UNKNOWN DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, … Jul 07, 2026
CVE-2026-59706 CRITICAL 9.3 mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can … Jul 07, 2026
CVE-2026-59153 UNKNOWN Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages … Jul 07, 2026