Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

22832
Total
1629
Critical
7118
High
7284
Medium
CVE ID Severity Score Description Published
CVE-2026-8609 MEDIUM 5.3 An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the … Jul 10, 2026
CVE-2026-8595 MEDIUM 6.8 A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the … Jul 10, 2026
CVE-2026-56676 HIGH 7.4 9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the … Jul 10, 2026
CVE-2026-55501 HIGH 7.3 9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled … Jul 10, 2026
CVE-2026-55500 CRITICAL 9.9 9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, … Jul 10, 2026
CVE-2026-54149 HIGH 8.8 MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not … Jul 10, 2026
CVE-2026-54001 UNKNOWN osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap … Jul 10, 2026
CVE-2026-54000 UNKNOWN osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap … Jul 10, 2026
CVE-2026-46388 MEDIUM 4.4 osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery … Jul 10, 2026
CVE-2026-33382 HIGH 7.5 Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very … Jul 10, 2026
CVE-2026-15375 MEDIUM 4.3 A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User … Jul 10, 2026
CVE-2026-15374 MEDIUM 6.3 A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. … Jul 10, 2026
CVE-2026-15373 MEDIUM 6.3 A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of … Jul 10, 2026
CVE-2026-15143 CRITICAL 9.3 A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) … Jul 10, 2026
CVE-2026-61492 LOW 3.5 In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible Jul 10, 2026
CVE-2026-61456 MEDIUM 4.6 The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file … Jul 10, 2026
CVE-2026-61455 MEDIUM 6.5 Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a … Jul 10, 2026
CVE-2026-61450 MEDIUM 6.5 Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone able to write to user/pages) to exfiltrate … Jul 10, 2026
CVE-2026-61444 CRITICAL 9.1 PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can … Jul 10, 2026
CVE-2026-61441 MEDIUM 6.5 PraisonAI Platform (praisonai-platform) before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete … Jul 10, 2026
CVE-2026-61437 HIGH 7.8 PraisonAI (pip package praisonaiagents) before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow._resolve_pydantic_class (src/praisonai-agents/praisonaiagents/workflows/workflows.py). When a workflow step uses a string output_pydantic reference, … Jul 10, 2026
CVE-2026-61434 HIGH 8.8 PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that allows attackers to execute restricted commands via find's built-in -exec, -execdir, … Jul 10, 2026
CVE-2026-61432 MEDIUM 5.7 PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute_tool() prepends the configured workspace_path only for relative paths and neither … Jul 10, 2026
CVE-2026-61431 MEDIUM 5.5 PraisonAI before 4.6.78 contains a path traversal vulnerability in ContextGatherer that fails to validate include paths in .praisoncontext and .praisoninclude files. Attackers can supply absolute … Jul 10, 2026
CVE-2026-60091 HIGH 7.2 PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhook_url parameter is validated at request time but … Jul 10, 2026