Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23830
Total
1706
Critical
7474
High
7609
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-54500 | MEDIUM | 5.3 | Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads … | Jul 01, 2026 |
| CVE-2026-57995 | HIGH | 8.8 | phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those … | Jun 30, 2026 |
| CVE-2026-56777 | MEDIUM | 5.0 | n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with … | Jun 30, 2026 |
| CVE-2026-56700 | CRITICAL | 9.8 | Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed … | Jun 30, 2026 |
| CVE-2026-56415 | CRITICAL | 10.0 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a … | Jun 30, 2026 |
| CVE-2026-56413 | CRITICAL | 10.0 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom … | Jun 30, 2026 |
| CVE-2026-56399 | MEDIUM | 5.0 | Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate … | Jun 30, 2026 |
| CVE-2026-56377 | LOW | 3.3 | ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path … | Jun 30, 2026 |
| CVE-2026-56369 | LOW | 3.7 | ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher … | Jun 30, 2026 |
| CVE-2026-56365 | LOW | 3.7 | ImageMagick before 7.1.2-19 contains a memory leak vulnerability in the PNG encoder when writing MNG images. Attackers can trigger the encoder failure condition to exhaust … | Jun 30, 2026 |
| CVE-2026-56364 | LOW | 1.9 | ImageMagick before 7.1.2-13 contains a memory leak vulnerability in LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with … | Jun 30, 2026 |
| CVE-2026-56363 | LOW | 3.3 | ImageMagick before 7.1.2-22 contains a division by zero vulnerability in binomial kernel processing that allows attackers to cause denial of service. An attacker can supply … | Jun 30, 2026 |
| CVE-2026-56361 | LOW | 3.3 | ImageMagick before 7.1.2-19 contains an off-by-one error in morphology validation allowing out-of-bounds heap buffer reads. Attackers can trigger heap buffer overflow by providing incorrect morphology … | Jun 30, 2026 |
| CVE-2026-56356 | MEDIUM | 5.4 | n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases … | Jun 30, 2026 |
| CVE-2026-56350 | MEDIUM | 6.3 | n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials … | Jun 30, 2026 |
| CVE-2026-56334 | MEDIUM | 4.3 | Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can … | Jun 30, 2026 |
| CVE-2026-56333 | MEDIUM | 4.3 | Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers … | Jun 30, 2026 |
| CVE-2026-56331 | MEDIUM | 5.3 | Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers … | Jun 30, 2026 |
| CVE-2026-56328 | MEDIUM | 6.5 | Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to … | Jun 30, 2026 |
| CVE-2026-56327 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error … | Jun 30, 2026 |
| CVE-2026-56320 | HIGH | 7.1 | Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. … | Jun 30, 2026 |
| CVE-2026-56318 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated … | Jun 30, 2026 |
| CVE-2026-56300 | HIGH | 7.5 | Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using … | Jun 30, 2026 |
| CVE-2026-56286 | HIGH | 8.1 | Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete … | Jun 30, 2026 |
| CVE-2026-56278 | CRITICAL | 9.1 | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is … | Jun 30, 2026 |