Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

22832
Total
1629
Critical
7118
High
7284
Medium
CVE ID Severity Score Description Published
CVE-2026-55461 MEDIUM 6.1 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the user edit flow stores url()->previous() from the attacker-controlled Referer header into Laravel’s intended URL … Jul 10, 2026
CVE-2026-55452 UNKNOWN Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report … Jul 10, 2026
CVE-2026-55377 HIGH 8.1 Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record … Jul 10, 2026
CVE-2026-55370 MEDIUM 6.4 Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code … Jul 10, 2026
CVE-2026-54714 MEDIUM 6.1 Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a … Jul 10, 2026
CVE-2026-15295 MEDIUM 4.4 The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, … Jul 10, 2026
CVE-2026-11321 MEDIUM 6.4 The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, … Jul 10, 2026
CVE-2026-6872 UNKNOWN Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … Jul 10, 2026
CVE-2026-6212 HIGH 8.8 Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026. Jul 10, 2026
CVE-2026-61461 HIGH 8.8 Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search … Jul 10, 2026
CVE-2026-61460 HIGH 8.8 Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, … Jul 10, 2026
CVE-2026-61459 CRITICAL 9.8 MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check … Jul 10, 2026
CVE-2026-5801 CRITICAL 9.8 Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line … Jul 10, 2026
CVE-2026-59151 CRITICAL 9.6 Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant … Jul 10, 2026
CVE-2026-55843 MEDIUM 6.5 Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that … Jul 10, 2026
CVE-2026-55516 HIGH 7.7 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then … Jul 10, 2026
CVE-2026-55478 MEDIUM 5.4 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to … Jul 10, 2026
CVE-2026-55476 MEDIUM 4.3 Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated … Jul 10, 2026
CVE-2026-55474 MEDIUM 6.5 Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an … Jul 10, 2026
CVE-2026-55472 MEDIUM 4.3 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects … Jul 10, 2026
CVE-2026-55464 MEDIUM 5.4 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a … Jul 10, 2026
CVE-2026-55460 HIGH 7.1 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to … Jul 10, 2026
CVE-2026-54329 HIGH 8.5 Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is … Jul 10, 2026
CVE-2026-53450 HIGH 7.4 Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, … Jul 10, 2026
CVE-2026-53449 MEDIUM 6.0 Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes … Jul 10, 2026