Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

22796
Total
1628
Critical
7094
High
7273
Medium
CVE ID Severity Score Description Published
CVE-2026-61454 MEDIUM 5.3 The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This … Jul 11, 2026
CVE-2026-61448 UNKNOWN Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension … Jul 11, 2026
CVE-2026-61447 CRITICAL 10.0 PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers … Jul 11, 2026
CVE-2026-61445 CRITICAL 9.9 PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM … Jul 11, 2026
CVE-2026-61442 HIGH 7.1 PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A … Jul 11, 2026
CVE-2026-61439 HIGH 7.5 PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. … Jul 11, 2026
CVE-2026-61429 HIGH 8.5 PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding … Jul 11, 2026
CVE-2026-61428 HIGH 7.3 PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted … Jul 11, 2026
CVE-2026-61426 HIGH 8.6 PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call … Jul 11, 2026
CVE-2026-60090 CRITICAL 9.8 PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends. Although schema, keyspace, and collection-name identifiers are … Jul 11, 2026
CVE-2026-60088 MEDIUM 5.5 PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path … Jul 11, 2026
CVE-2026-56763 MEDIUM 4.8 Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When … Jul 11, 2026
CVE-2026-56372 LOW 3.3 ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify operation that allows attackers to read out of bounds memory. An unrecognized magnify:method … Jul 11, 2026
CVE-2026-56303 HIGH 7.5 Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can … Jul 11, 2026
CVE-2026-56296 MEDIUM 5.3 Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transfer_app RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated … Jul 11, 2026
CVE-2026-56240 MEDIUM 4.3 Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass … Jul 11, 2026
CVE-2026-57828 UNKNOWN The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE. Jul 11, 2026
CVE-2026-57827 UNKNOWN The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. Jul 11, 2026
CVE-2026-1359 HIGH 8.8 The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on … Jul 11, 2026
CVE-2026-9282 HIGH 7.5 The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This … Jul 11, 2026
CVE-2026-9017 MEDIUM 5.3 The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This … Jul 11, 2026
CVE-2026-6939 HIGH 7.2 The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, … Jul 11, 2026
CVE-2026-6801 MEDIUM 5.3 The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes … Jul 11, 2026
CVE-2026-4661 HIGH 7.5 The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter … Jul 11, 2026
CVE-2026-1382 MEDIUM 6.4 The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due … Jul 11, 2026