Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22471
Total
1617
Critical
6868
High
7196
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55804 | UNKNOWN | — | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, … | Jul 10, 2026 |
| CVE-2026-55803 | UNKNOWN | — | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, … | Jul 10, 2026 |
| CVE-2026-55187 | MEDIUM | 5.8 | Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in … | Jul 10, 2026 |
| CVE-2026-54736 | UNKNOWN | — | Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, … | Jul 10, 2026 |
| CVE-2026-52761 | MEDIUM | 5.8 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in … | Jul 10, 2026 |
| CVE-2026-52747 | HIGH | 8.6 | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser … | Jul 10, 2026 |
| CVE-2026-49844 | UNKNOWN | — | Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache … | Jul 10, 2026 |
| CVE-2026-49394 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because public workspaces did not … | Jul 10, 2026 |
| CVE-2026-49213 | HIGH | 8.1 | TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because … | Jul 10, 2026 |
| CVE-2026-48127 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API … | Jul 10, 2026 |
| CVE-2026-47422 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been … | Jul 10, 2026 |
| CVE-2026-47199 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, check_safe_sql_query permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites … | Jul 10, 2026 |
| CVE-2026-44795 | HIGH | 8.8 | Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation … | Jul 10, 2026 |
| CVE-2026-42219 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via download_backups was possible due to lack of hardening. This issue … | Jul 10, 2026 |
| CVE-2026-41482 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in … | Jul 10, 2026 |
| CVE-2026-15085 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer … | Jul 10, 2026 |
| CVE-2026-15084 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects … | Jul 10, 2026 |
| CVE-2026-15083 | UNKNOWN | — | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - … | Jul 10, 2026 |
| CVE-2026-15082 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: … | Jul 10, 2026 |
| CVE-2026-15081 | UNKNOWN | — | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector … | Jul 10, 2026 |
| CVE-2026-15080 | UNKNOWN | — | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to … | Jul 10, 2026 |
| CVE-2026-15079 | UNKNOWN | — | Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4. | Jul 10, 2026 |
| CVE-2026-13244 | UNKNOWN | — | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: … | Jul 10, 2026 |
| CVE-2026-13243 | UNKNOWN | — | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3. | Jul 10, 2026 |
| CVE-2026-13242 | UNKNOWN | — | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field … | Jul 10, 2026 |