Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

22471
Total
1617
Critical
6868
High
7196
Medium
CVE ID Severity Score Description Published
CVE-2026-61459 CRITICAL 9.8 MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check … Jul 10, 2026
CVE-2026-5801 CRITICAL 9.8 Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line … Jul 10, 2026
CVE-2026-59151 CRITICAL 9.6 Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant … Jul 10, 2026
CVE-2026-55843 MEDIUM 6.5 Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that … Jul 10, 2026
CVE-2026-55516 HIGH 7.7 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then … Jul 10, 2026
CVE-2026-55478 MEDIUM 5.4 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to … Jul 10, 2026
CVE-2026-55476 MEDIUM 4.3 Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated … Jul 10, 2026
CVE-2026-55474 MEDIUM 6.5 Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an … Jul 10, 2026
CVE-2026-55472 MEDIUM 4.3 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects … Jul 10, 2026
CVE-2026-55464 MEDIUM 5.4 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a … Jul 10, 2026
CVE-2026-55460 HIGH 7.1 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to … Jul 10, 2026
CVE-2026-54329 HIGH 8.5 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is … Jul 10, 2026
CVE-2026-53450 HIGH 7.4 Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, … Jul 10, 2026
CVE-2026-53449 MEDIUM 6.0 Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes … Jul 10, 2026
CVE-2026-53448 HIGH 7.2 Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly … Jul 10, 2026
CVE-2026-15146 MEDIUM 5.9 GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or … Jul 10, 2026
CVE-2025-30008 MEDIUM 4.6 HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a … Jul 10, 2026
CVE-2025-30007 HIGH 8.8 HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote … Jul 10, 2026
CVE-2026-57476 MEDIUM 4.8 Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into … Jul 10, 2026
CVE-2026-57475 MEDIUM 5.3 Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. … Jul 10, 2026
CVE-2026-57474 MEDIUM 5.3 Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. … Jul 10, 2026
CVE-2026-56668 HIGH 8.1 ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token … Jul 10, 2026
CVE-2026-56667 HIGH 7.3 ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without … Jul 10, 2026
CVE-2026-56666 MEDIUM 4.8 ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but … Jul 10, 2026
CVE-2026-56665 MEDIUM 4.2 ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 … Jul 10, 2026