Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22332
Total
1596
Critical
6832
High
7160
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-10668 | LOW | 2.4 | The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot … | Jul 12, 2026 |
| CVE-2026-10667 | HIGH | 7.8 | Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was performed … | Jul 12, 2026 |
| CVE-2026-10666 | HIGH | 8.1 | parse_ipv4() in subsys/net/ip/utils.c (reached via net_ipaddr_parse() for strings of the form "a.b.c.d:port") copies the port substring into a fixed 17-byte stack buffer (char ipaddr[NET_IPV4_ADDR_LEN + … | Jul 12, 2026 |
| CVE-2026-10665 | HIGH | 7.4 | In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call … | Jul 12, 2026 |
| CVE-2026-10664 | MEDIUM | 5.0 | The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] … | Jul 12, 2026 |
| CVE-2026-10663 | MEDIUM | 6.1 | In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root. The bus removal handler … | Jul 12, 2026 |
| CVE-2026-58596 | HIGH | 8.3 | Untrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. | Jul 12, 2026 |
| CVE-2026-15502 | MEDIUM | 6.3 | A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The … | Jul 12, 2026 |
| CVE-2026-15501 | MEDIUM | 6.3 | A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function ToolsRoute.test_mcp_connection of the file astrbot/dashboard/routes/tools.py of … | Jul 12, 2026 |
| CVE-2026-61876 | HIGH | 8.8 | LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send … | Jul 12, 2026 |
| CVE-2026-61875 | HIGH | 8.8 | luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious … | Jul 12, 2026 |
| CVE-2026-61874 | LOW | 3.1 | filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers … | Jul 12, 2026 |
| CVE-2026-59260 | HIGH | 8.8 | OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can pass … | Jul 12, 2026 |
| CVE-2026-56336 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values. Attackers can enumerate email domains … | Jul 12, 2026 |
| CVE-2026-56313 | HIGH | 8.1 | Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in … | Jul 12, 2026 |
| CVE-2026-56308 | HIGH | 7.3 | Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a … | Jul 12, 2026 |
| CVE-2026-56281 | LOW | 3.8 | Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/admin_stats endpoint where the limit parameter is destructured from unvalidated request body and interpolated … | Jul 12, 2026 |
| CVE-2026-56271 | CRITICAL | 9.8 | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in … | Jul 12, 2026 |
| CVE-2026-56260 | CRITICAL | 9.1 | Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path parameter accepts arbitrary filesystem paths … | Jul 12, 2026 |
| CVE-2026-56259 | HIGH | 8.2 | Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read … | Jul 12, 2026 |
| CVE-2026-56252 | MEDIUM | 5.4 | Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with … | Jul 12, 2026 |
| CVE-2026-56241 | HIGH | 8.3 | Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not … | Jul 12, 2026 |
| CVE-2026-56238 | HIGH | 7.5 | Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics … | Jul 12, 2026 |
| CVE-2026-15500 | MEDIUM | 6.3 | A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2. Affected by this vulnerability is the function get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the … | Jul 12, 2026 |
| CVE-2026-15499 | MEDIUM | 6.3 | A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled … | Jul 12, 2026 |