Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22374
Total
1599
Critical
6838
High
7169
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-61858 | LOW | 3.3 | ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to … | Jul 11, 2026 |
| CVE-2026-61857 | LOW | 3.7 | ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially … | Jul 11, 2026 |
| CVE-2026-61465 | LOW | 3.3 | ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. An attacker can supply … | Jul 11, 2026 |
| CVE-2026-61454 | MEDIUM | 5.3 | The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This … | Jul 11, 2026 |
| CVE-2026-61448 | UNKNOWN | — | Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension … | Jul 11, 2026 |
| CVE-2026-61447 | CRITICAL | 10.0 | PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers … | Jul 11, 2026 |
| CVE-2026-61445 | CRITICAL | 9.9 | PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM … | Jul 11, 2026 |
| CVE-2026-61442 | HIGH | 7.1 | PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A … | Jul 11, 2026 |
| CVE-2026-61439 | HIGH | 7.5 | PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. … | Jul 11, 2026 |
| CVE-2026-61429 | HIGH | 8.5 | PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding … | Jul 11, 2026 |
| CVE-2026-61428 | HIGH | 7.3 | PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted … | Jul 11, 2026 |
| CVE-2026-61426 | HIGH | 8.6 | PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call … | Jul 11, 2026 |
| CVE-2026-60090 | CRITICAL | 9.8 | PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends. Although schema, keyspace, and collection-name identifiers are … | Jul 11, 2026 |
| CVE-2026-60088 | MEDIUM | 5.5 | PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path … | Jul 11, 2026 |
| CVE-2026-56763 | MEDIUM | 4.8 | Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When … | Jul 11, 2026 |
| CVE-2026-56372 | LOW | 3.3 | ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify operation that allows attackers to read out of bounds memory. An unrecognized magnify:method … | Jul 11, 2026 |
| CVE-2026-56303 | HIGH | 7.5 | Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can … | Jul 11, 2026 |
| CVE-2026-56296 | MEDIUM | 5.3 | Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transfer_app RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated … | Jul 11, 2026 |
| CVE-2026-56240 | MEDIUM | 4.3 | Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass … | Jul 11, 2026 |
| CVE-2026-57828 | UNKNOWN | — | The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE. | Jul 11, 2026 |
| CVE-2026-57827 | UNKNOWN | — | The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. | Jul 11, 2026 |
| CVE-2026-1359 | HIGH | 8.8 | The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on … | Jul 11, 2026 |
| CVE-2026-9282 | HIGH | 7.5 | The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This … | Jul 11, 2026 |
| CVE-2026-9017 | MEDIUM | 5.3 | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This … | Jul 11, 2026 |
| CVE-2026-6939 | HIGH | 7.2 | The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, … | Jul 11, 2026 |