Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23379
Total
1666
Critical
7346
High
7432
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-58266 | MEDIUM | 6.5 | Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, … | Jul 07, 2026 |
| CVE-2026-55490 | MEDIUM | 6.5 | OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker … | Jul 07, 2026 |
| CVE-2026-55418 | HIGH | 8.6 | FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read … | Jul 07, 2026 |
| CVE-2026-55408 | UNKNOWN | — | Koodo Reader is an ebook reader. In version 2.3.0 and earlier, Koodo Reader is vulnerable to remote code execution through malicious EPUB files because the … | Jul 07, 2026 |
| CVE-2026-55075 | HIGH | 7.4 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained … | Jul 07, 2026 |
| CVE-2026-54698 | UNKNOWN | — | Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on … | Jul 07, 2026 |
| CVE-2026-54607 | HIGH | 7.7 | FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, … | Jul 07, 2026 |
| CVE-2026-54602 | UNKNOWN | — | FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId … | Jul 07, 2026 |
| CVE-2026-54601 | MEDIUM | 6.3 | FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in … | Jul 07, 2026 |
| CVE-2026-50179 | MEDIUM | 4.2 | Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify … | Jul 07, 2026 |
| CVE-2026-49229 | HIGH | 8.3 | Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, … | Jul 07, 2026 |
| CVE-2026-49033 | HIGH | 7.8 | The application contains a stack-based buffer overflow vulnerability that can be exploited by an attacker to execute arbitrary code. | Jul 07, 2026 |
| CVE-2026-46354 | CRITICAL | 9.1 | Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the … | Jul 07, 2026 |
| CVE-2026-45796 | MEDIUM | 6.5 | Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind … | Jul 07, 2026 |
| CVE-2026-42958 | HIGH | 7.8 | The application contains a use-after-free vulnerability that can be exploited to cause memory corruption while parsing specially crafted files. This could allow an attacker to … | Jul 07, 2026 |
| CVE-2026-42953 | UNKNOWN | — | The application contains an out-of-bounds write vulnerability that can be exploited by an attacker to cause the program to write data past the end of … | Jul 07, 2026 |
| CVE-2026-28378 | LOW | 3.1 | The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different … | Jul 07, 2026 |
| CVE-2026-59707 | HIGH | 8.6 | LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized … | Jul 07, 2026 |
| CVE-2026-58583 | HIGH | 7.1 | FluxInk (formerly Sunia SPB Peripheral) Color Management Driver (TcnPeripheral64.sys) 1.0.7.2 allows local privilege escalation for a standard user account via arbitrary physical memory mapping at … | Jul 07, 2026 |
| CVE-2026-58473 | CRITICAL | 9.1 | Cognee before 1.2.0 contains an improper access control vulnerability that allows unauthenticated attackers to overwrite the global LLM provider configuration by self-registering an account and … | Jul 07, 2026 |
| CVE-2026-58472 | MEDIUM | 5.9 | GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker … | Jul 07, 2026 |
| CVE-2026-58471 | MEDIUM | 5.9 | GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to … | Jul 07, 2026 |
| CVE-2026-58470 | MEDIUM | 5.3 | GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause … | Jul 07, 2026 |
| CVE-2026-58469 | HIGH | 7.5 | GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server … | Jul 07, 2026 |
| CVE-2026-57172 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker … | Jul 07, 2026 |