Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22832
Total
1629
Critical
7118
High
7284
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55461 | MEDIUM | 6.1 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the user edit flow stores url()->previous() from the attacker-controlled Referer header into Laravel’s intended URL … | Jul 10, 2026 |
| CVE-2026-55452 | UNKNOWN | — | Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report … | Jul 10, 2026 |
| CVE-2026-55377 | HIGH | 8.1 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record … | Jul 10, 2026 |
| CVE-2026-55370 | MEDIUM | 6.4 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code … | Jul 10, 2026 |
| CVE-2026-54714 | MEDIUM | 6.1 | Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a … | Jul 10, 2026 |
| CVE-2026-15295 | MEDIUM | 4.4 | The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, … | Jul 10, 2026 |
| CVE-2026-11321 | MEDIUM | 6.4 | The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, … | Jul 10, 2026 |
| CVE-2026-6872 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Jul 10, 2026 |
| CVE-2026-6212 | HIGH | 8.8 | Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026. | Jul 10, 2026 |
| CVE-2026-61461 | HIGH | 8.8 | Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search … | Jul 10, 2026 |
| CVE-2026-61460 | HIGH | 8.8 | Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, … | Jul 10, 2026 |
| CVE-2026-61459 | CRITICAL | 9.8 | MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check … | Jul 10, 2026 |
| CVE-2026-5801 | CRITICAL | 9.8 | Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line … | Jul 10, 2026 |
| CVE-2026-59151 | CRITICAL | 9.6 | Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant … | Jul 10, 2026 |
| CVE-2026-55843 | MEDIUM | 6.5 | Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that … | Jul 10, 2026 |
| CVE-2026-55516 | HIGH | 7.7 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then … | Jul 10, 2026 |
| CVE-2026-55478 | MEDIUM | 5.4 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to … | Jul 10, 2026 |
| CVE-2026-55476 | MEDIUM | 4.3 | Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated … | Jul 10, 2026 |
| CVE-2026-55474 | MEDIUM | 6.5 | Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an … | Jul 10, 2026 |
| CVE-2026-55472 | MEDIUM | 4.3 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects … | Jul 10, 2026 |
| CVE-2026-55464 | MEDIUM | 5.4 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a … | Jul 10, 2026 |
| CVE-2026-55460 | HIGH | 7.1 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to … | Jul 10, 2026 |
| CVE-2026-54329 | HIGH | 8.5 | Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is … | Jul 10, 2026 |
| CVE-2026-53450 | HIGH | 7.4 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, … | Jul 10, 2026 |
| CVE-2026-53449 | MEDIUM | 6.0 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes … | Jul 10, 2026 |