Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23379
Total
1666
Critical
7346
High
7432
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55647 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side … | Jul 07, 2026 |
| CVE-2026-55635 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, chart quota and Y-axis filters embed attacker-controlled filter values directly into generated … | Jul 07, 2026 |
| CVE-2026-55633 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows … | Jul 07, 2026 |
| CVE-2026-55631 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName … | Jul 07, 2026 |
| CVE-2026-55592 | LOW | 3.9 | Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source … | Jul 07, 2026 |
| CVE-2026-55434 | MEDIUM | 6.5 | Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers … | Jul 07, 2026 |
| CVE-2026-55417 | UNKNOWN | — | Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their … | Jul 07, 2026 |
| CVE-2026-53935 | MEDIUM | 6.9 | Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to … | Jul 07, 2026 |
| CVE-2026-53751 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special … | Jul 07, 2026 |
| CVE-2026-53730 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any … | Jul 07, 2026 |
| CVE-2026-53729 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download (/exportCenter/download/{id}), delete (/exportCenter/delete), retry (/exportCenter/retry/{id}), or generate … | Jul 07, 2026 |
| CVE-2026-53511 | UNKNOWN | — | calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read … | Jul 07, 2026 |
| CVE-2026-50530 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the … | Jul 07, 2026 |
| CVE-2026-50529 | UNKNOWN | — | DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share … | Jul 07, 2026 |
| CVE-2026-50007 | UNKNOWN | — | Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to … | Jul 07, 2026 |
| CVE-2026-49471 | HIGH | 8.3 | Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated … | Jul 07, 2026 |
| CVE-2026-46700 | MEDIUM | 4.3 | Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session … | Jul 07, 2026 |
| CVE-2026-46672 | MEDIUM | 4.6 | Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option … | Jul 07, 2026 |
| CVE-2026-44454 | HIGH | 8.1 | Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to … | Jul 07, 2026 |
| CVE-2026-58468 | MEDIUM | 5.5 | NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying … | Jul 07, 2026 |
| CVE-2026-44877 | MEDIUM | 6.5 | An unauthenticated remote disclosure vulnerability has been identified in HPE Networking Instant On 1830, 1930, and 1960 Switches. Successful exploitation of this vulnerability could allow … | Jul 07, 2026 |
| CVE-2026-7017 | HIGH | 7.1 | HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header … | Jul 07, 2026 |
| CVE-2026-59800 | CRITICAL | 9.8 | 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, … | Jul 07, 2026 |
| CVE-2026-59708 | HIGH | 7.5 | The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private … | Jul 07, 2026 |
| CVE-2026-55435 | MEDIUM | 5.4 | Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy … | Jul 07, 2026 |