Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22471
Total
1617
Critical
6868
High
7196
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12761 | CRITICAL | 9.8 | The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up … | Jul 10, 2026 |
| CVE-2026-57850 | HIGH | 8.3 | RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, … | Jul 10, 2026 |
| CVE-2026-57158 | UNKNOWN | — | FreeRDP is a free implementation of the Remote Desktop Protocol. From 3.21.0 before 3.28.0, FreeRDP clients using the GFX pipeline contain an incomplete fix for … | Jul 10, 2026 |
| CVE-2026-57157 | MEDIUM | 6.5 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0, FreeRDP server implementations with the MS-RDPECAM camera device enumerator channel enabled scan … | Jul 10, 2026 |
| CVE-2026-57156 | UNKNOWN | — | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0 on 32-bit builds, FreeRDP clients contain an integer overflow in update_read_delta_points in … | Jul 10, 2026 |
| CVE-2026-55827 | HIGH | 7.5 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.27.1, FreeRDP clients launched with the non-default /cache:codec:rfx option pass desktop stride and … | Jul 10, 2026 |
| CVE-2026-55789 | HIGH | 8.5 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response … | Jul 10, 2026 |
| CVE-2026-55515 | MEDIUM | 5.0 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without … | Jul 10, 2026 |
| CVE-2026-55481 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, default.blade.php renders header_color and related branding color settings inside a CSS style block with HTML … | Jul 10, 2026 |
| CVE-2026-55479 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of … | Jul 10, 2026 |
| CVE-2026-55475 | MEDIUM | 5.7 | Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API … | Jul 10, 2026 |
| CVE-2026-55469 | MEDIUM | 6.5 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in … | Jul 10, 2026 |
| CVE-2026-55466 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline … | Jul 10, 2026 |
| CVE-2026-55462 | MEDIUM | 4.3 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and … | Jul 10, 2026 |
| CVE-2026-55461 | MEDIUM | 6.1 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the user edit flow stores url()->previous() from the attacker-controlled Referer header into Laravel’s intended URL … | Jul 10, 2026 |
| CVE-2026-55452 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report … | Jul 10, 2026 |
| CVE-2026-55377 | HIGH | 8.1 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record … | Jul 10, 2026 |
| CVE-2026-55370 | MEDIUM | 6.4 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code … | Jul 10, 2026 |
| CVE-2026-54714 | MEDIUM | 6.1 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a … | Jul 10, 2026 |
| CVE-2026-15295 | MEDIUM | 4.4 | The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, … | Jul 10, 2026 |
| CVE-2026-11321 | MEDIUM | 6.4 | The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, … | Jul 10, 2026 |
| CVE-2026-6872 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Jul 10, 2026 |
| CVE-2026-6212 | HIGH | 8.8 | Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026. | Jul 10, 2026 |
| CVE-2026-61461 | HIGH | 8.8 | Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search … | Jul 10, 2026 |
| CVE-2026-61460 | HIGH | 8.8 | Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, … | Jul 10, 2026 |