Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23379
Total
1666
Critical
7346
High
7432
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-59713 | HIGH | 8.1 | Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs … | Jul 06, 2026 |
| CVE-2026-59712 | HIGH | 8.1 | Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, … | Jul 06, 2026 |
| CVE-2026-59711 | MEDIUM | 6.1 | showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped … | Jul 06, 2026 |
| CVE-2026-57573 | HIGH | 8.6 | Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server applied its SSRF destination check on the non-streaming /crawl … | Jul 06, 2026 |
| CVE-2026-57572 | CRITICAL | 10.0 | Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch arguments. … | Jul 06, 2026 |
| CVE-2026-57571 | CRITICAL | 9.6 | Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from … | Jul 06, 2026 |
| CVE-2026-55727 | HIGH | 7.5 | A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14.0.0 prior to build 5.14.178.18 may allow an unauthenticated attacker to … | Jul 06, 2026 |
| CVE-2026-55574 | UNKNOWN | — | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string … | Jul 06, 2026 |
| CVE-2026-55514 | UNKNOWN | — | vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with … | Jul 06, 2026 |
| CVE-2026-54765 | UNKNOWN | — | Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted … | Jul 06, 2026 |
| CVE-2026-54764 | UNKNOWN | — | Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives … | Jul 06, 2026 |
| CVE-2026-54763 | UNKNOWN | — | Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity … | Jul 06, 2026 |
| CVE-2026-54709 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-54637. Reason: This candidate is a duplicate of CVE-2026-54637. Notes: All CVE users … | Jul 06, 2026 |
| CVE-2026-54234 | HIGH | 7.5 | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection … | Jul 06, 2026 |
| CVE-2026-50135 | UNKNOWN | — | Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct … | Jul 06, 2026 |
| CVE-2026-48267 | MEDIUM | 5.5 | DNG SDK versions 1.7.1 2536 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could … | Jul 06, 2026 |
| CVE-2026-42341 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. … | Jul 06, 2026 |
| CVE-2026-42331 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present … | Jul 06, 2026 |
| CVE-2026-34038 | CRITICAL | 9.9 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment … | Jul 06, 2026 |
| CVE-2026-33734 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the `Massmailer` module filter functionality. … | Jul 06, 2026 |
| CVE-2026-25271 | HIGH | 7.8 | Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use. | Jul 06, 2026 |
| CVE-2026-25268 | HIGH | 8.8 | Memory Corruption when processing invalid HT40 channel layouts during dynamic channel switching operations. | Jul 06, 2026 |
| CVE-2026-21384 | MEDIUM | 5.3 | Memory Corruption when updating prepared commands with invalid port indices based on user space input exceeds supported read client limits. | Jul 06, 2026 |
| CVE-2026-21383 | HIGH | 7.1 | Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security. | Jul 06, 2026 |
| CVE-2026-21379 | HIGH | 7.8 | Memory Corruption when allocating memory with sizes that exceed the maximum allowed value. | Jul 06, 2026 |