Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22832
Total
1629
Critical
7118
High
7284
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-8609 | MEDIUM | 5.3 | An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the … | Jul 10, 2026 |
| CVE-2026-8595 | MEDIUM | 6.8 | A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the … | Jul 10, 2026 |
| CVE-2026-56676 | HIGH | 7.4 | 9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the … | Jul 10, 2026 |
| CVE-2026-55501 | HIGH | 7.3 | 9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled … | Jul 10, 2026 |
| CVE-2026-55500 | CRITICAL | 9.9 | 9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, … | Jul 10, 2026 |
| CVE-2026-54149 | HIGH | 8.8 | MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not … | Jul 10, 2026 |
| CVE-2026-54001 | UNKNOWN | — | osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap … | Jul 10, 2026 |
| CVE-2026-54000 | UNKNOWN | — | osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap … | Jul 10, 2026 |
| CVE-2026-46388 | MEDIUM | 4.4 | osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery … | Jul 10, 2026 |
| CVE-2026-33382 | HIGH | 7.5 | Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very … | Jul 10, 2026 |
| CVE-2026-15375 | MEDIUM | 4.3 | A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User … | Jul 10, 2026 |
| CVE-2026-15374 | MEDIUM | 6.3 | A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. … | Jul 10, 2026 |
| CVE-2026-15373 | MEDIUM | 6.3 | A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of … | Jul 10, 2026 |
| CVE-2026-15143 | CRITICAL | 9.3 | A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) … | Jul 10, 2026 |
| CVE-2026-61492 | LOW | 3.5 | In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible | Jul 10, 2026 |
| CVE-2026-61456 | MEDIUM | 4.6 | The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file … | Jul 10, 2026 |
| CVE-2026-61455 | MEDIUM | 6.5 | Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a … | Jul 10, 2026 |
| CVE-2026-61450 | MEDIUM | 6.5 | Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone able to write to user/pages) to exfiltrate … | Jul 10, 2026 |
| CVE-2026-61444 | CRITICAL | 9.1 | PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can … | Jul 10, 2026 |
| CVE-2026-61441 | MEDIUM | 6.5 | PraisonAI Platform (praisonai-platform) before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete … | Jul 10, 2026 |
| CVE-2026-61437 | HIGH | 7.8 | PraisonAI (pip package praisonaiagents) before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow._resolve_pydantic_class (src/praisonai-agents/praisonaiagents/workflows/workflows.py). When a workflow step uses a string output_pydantic reference, … | Jul 10, 2026 |
| CVE-2026-61434 | HIGH | 8.8 | PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that allows attackers to execute restricted commands via find's built-in -exec, -execdir, … | Jul 10, 2026 |
| CVE-2026-61432 | MEDIUM | 5.7 | PraisonAI (praisonaiagents) before 1.6.78 contains a path traversal vulnerability in the FastContext feature (praisonaiagents.context.fast). FastContextAgent.execute_tool() prepends the configured workspace_path only for relative paths and neither … | Jul 10, 2026 |
| CVE-2026-61431 | MEDIUM | 5.5 | PraisonAI before 4.6.78 contains a path traversal vulnerability in ContextGatherer that fails to validate include paths in .praisoncontext and .praisoninclude files. Attackers can supply absolute … | Jul 10, 2026 |
| CVE-2026-60091 | HIGH | 7.2 | PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhook_url parameter is validated at request time but … | Jul 10, 2026 |