Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

23379
Total
1666
Critical
7346
High
7432
Medium
CVE ID Severity Score Description Published
CVE-2026-55647 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side … Jul 07, 2026
CVE-2026-55635 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, chart quota and Y-axis filters embed attacker-controlled filter values directly into generated … Jul 07, 2026
CVE-2026-55633 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows … Jul 07, 2026
CVE-2026-55631 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the font management module allows authenticated users to submit an arbitrary fileTransName … Jul 07, 2026
CVE-2026-55592 LOW 3.9 Dashy is a self-hostable personal dashboard. Prior to 4.3.7, Dashy's workspace view trusts the url query parameter and assigns it directly to an iframe source … Jul 07, 2026
CVE-2026-55434 MEDIUM 6.5 Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers … Jul 07, 2026
CVE-2026-55417 UNKNOWN Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their … Jul 07, 2026
CVE-2026-53935 MEDIUM 6.9 Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to … Jul 07, 2026
CVE-2026-53751 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special … Jul 07, 2026
CVE-2026-53730 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/datasetData/previewSql endpoint lacks the mandatory @DePermit permission validation annotation, allowing any … Jul 07, 2026
CVE-2026-53729 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, any authenticated user can download (/exportCenter/download/{id}), delete (/exportCenter/delete), retry (/exportCenter/retry/{id}), or generate … Jul 07, 2026
CVE-2026-53511 UNKNOWN calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read … Jul 07, 2026
CVE-2026-50530 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the … Jul 07, 2026
CVE-2026-50529 UNKNOWN DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share … Jul 07, 2026
CVE-2026-50007 UNKNOWN Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to … Jul 07, 2026
CVE-2026-49471 HIGH 8.3 Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated … Jul 07, 2026
CVE-2026-46700 MEDIUM 4.3 Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session … Jul 07, 2026
CVE-2026-46672 MEDIUM 4.6 Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option … Jul 07, 2026
CVE-2026-44454 HIGH 8.1 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to … Jul 07, 2026
CVE-2026-58468 MEDIUM 5.5 NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying … Jul 07, 2026
CVE-2026-44877 MEDIUM 6.5 An unauthenticated remote disclosure vulnerability has been identified in HPE Networking Instant On 1830, 1930, and 1960 Switches. Successful exploitation of this vulnerability could allow … Jul 07, 2026
CVE-2026-7017 HIGH 7.1 HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header … Jul 07, 2026
CVE-2026-59800 CRITICAL 9.8 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, … Jul 07, 2026
CVE-2026-59708 HIGH 7.5 The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private … Jul 07, 2026
CVE-2026-55435 MEDIUM 5.4 Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy … Jul 07, 2026