Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22832
Total
1629
Critical
7118
High
7284
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55664 | MEDIUM | 4.3 | Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the … | Jul 10, 2026 |
| CVE-2026-55659 | HIGH | 7.7 | Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into … | Jul 10, 2026 |
| CVE-2026-55405 | HIGH | 7.6 | LangChain4j is a Java library for building LLM-powered applications on the JVM. Prior to 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26, the MariaDB and pgvector embedding stores … | Jul 10, 2026 |
| CVE-2026-55233 | HIGH | 7.5 | OpenResty is a high performance web platform. From 1.29.2.1 to before 1.29.2.5, an out-of-bounds write vulnerability exists in the upstream PROXY protocol v2 implementation. When … | Jul 10, 2026 |
| CVE-2026-55229 | HIGH | 7.5 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg's /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically … | Jul 10, 2026 |
| CVE-2026-55213 | HIGH | 7.5 | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the … | Jul 10, 2026 |
| CVE-2026-45203 | UNKNOWN | — | Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted … | Jul 10, 2026 |
| CVE-2026-45196 | UNKNOWN | — | Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a GPU register access which can … | Jul 10, 2026 |
| CVE-2026-41154 | UNKNOWN | — | Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls. When indexing pages larger than … | Jul 10, 2026 |
| CVE-2026-34196 | UNKNOWN | — | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses … | Jul 10, 2026 |
| CVE-2026-13039 | MEDIUM | 5.3 | The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in … | Jul 10, 2026 |
| CVE-2026-12761 | CRITICAL | 9.8 | The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up … | Jul 10, 2026 |
| CVE-2026-57850 | HIGH | 8.3 | RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, … | Jul 10, 2026 |
| CVE-2026-57158 | UNKNOWN | — | FreeRDP is a free implementation of the Remote Desktop Protocol. From 3.21.0 before 3.28.0, FreeRDP clients using the GFX pipeline contain an incomplete fix for … | Jul 10, 2026 |
| CVE-2026-57157 | MEDIUM | 6.5 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0, FreeRDP server implementations with the MS-RDPECAM camera device enumerator channel enabled scan … | Jul 10, 2026 |
| CVE-2026-57156 | UNKNOWN | — | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0 on 32-bit builds, FreeRDP clients contain an integer overflow in update_read_delta_points in … | Jul 10, 2026 |
| CVE-2026-55827 | HIGH | 7.5 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.27.1, FreeRDP clients launched with the non-default /cache:codec:rfx option pass desktop stride and … | Jul 10, 2026 |
| CVE-2026-55789 | HIGH | 8.5 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response … | Jul 10, 2026 |
| CVE-2026-55515 | MEDIUM | 5.0 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without … | Jul 10, 2026 |
| CVE-2026-55481 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, default.blade.php renders header_color and related branding color settings inside a CSS style block with HTML … | Jul 10, 2026 |
| CVE-2026-55479 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of … | Jul 10, 2026 |
| CVE-2026-55475 | MEDIUM | 5.7 | Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API … | Jul 10, 2026 |
| CVE-2026-55469 | MEDIUM | 6.5 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in … | Jul 10, 2026 |
| CVE-2026-55466 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline … | Jul 10, 2026 |
| CVE-2026-55462 | MEDIUM | 4.3 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and … | Jul 10, 2026 |