Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22471
Total
1617
Critical
6868
High
7196
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-61459 | CRITICAL | 9.8 | MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check … | Jul 10, 2026 |
| CVE-2026-5801 | CRITICAL | 9.8 | Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line … | Jul 10, 2026 |
| CVE-2026-59151 | CRITICAL | 9.6 | Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant … | Jul 10, 2026 |
| CVE-2026-55843 | MEDIUM | 6.5 | Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that … | Jul 10, 2026 |
| CVE-2026-55516 | HIGH | 7.7 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then … | Jul 10, 2026 |
| CVE-2026-55478 | MEDIUM | 5.4 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to … | Jul 10, 2026 |
| CVE-2026-55476 | MEDIUM | 4.3 | Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated … | Jul 10, 2026 |
| CVE-2026-55474 | MEDIUM | 6.5 | Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an … | Jul 10, 2026 |
| CVE-2026-55472 | MEDIUM | 4.3 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects … | Jul 10, 2026 |
| CVE-2026-55464 | MEDIUM | 5.4 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a … | Jul 10, 2026 |
| CVE-2026-55460 | HIGH | 7.1 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to … | Jul 10, 2026 |
| CVE-2026-54329 | HIGH | 8.5 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is … | Jul 10, 2026 |
| CVE-2026-53450 | HIGH | 7.4 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, … | Jul 10, 2026 |
| CVE-2026-53449 | MEDIUM | 6.0 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes … | Jul 10, 2026 |
| CVE-2026-53448 | HIGH | 7.2 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly … | Jul 10, 2026 |
| CVE-2026-15146 | MEDIUM | 5.9 | GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or … | Jul 10, 2026 |
| CVE-2025-30008 | MEDIUM | 4.6 | HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a … | Jul 10, 2026 |
| CVE-2025-30007 | HIGH | 8.8 | HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote … | Jul 10, 2026 |
| CVE-2026-57476 | MEDIUM | 4.8 | Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into … | Jul 10, 2026 |
| CVE-2026-57475 | MEDIUM | 5.3 | Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. … | Jul 10, 2026 |
| CVE-2026-57474 | MEDIUM | 5.3 | Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. … | Jul 10, 2026 |
| CVE-2026-56668 | HIGH | 8.1 | ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token … | Jul 10, 2026 |
| CVE-2026-56667 | HIGH | 7.3 | ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without … | Jul 10, 2026 |
| CVE-2026-56666 | MEDIUM | 4.8 | ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but … | Jul 10, 2026 |
| CVE-2026-56665 | MEDIUM | 4.2 | ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 … | Jul 10, 2026 |