Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22832
Total
1629
Critical
7118
High
7284
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-60089 | MEDIUM | 5.5 | PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A … | Jul 10, 2026 |
| CVE-2026-60086 | MEDIUM | 5.3 | PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector … | Jul 10, 2026 |
| CVE-2026-59796 | HIGH | 8.1 | In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks | Jul 10, 2026 |
| CVE-2026-59795 | HIGH | 8.1 | In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible | Jul 10, 2026 |
| CVE-2026-59794 | HIGH | 7.3 | In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data | Jul 10, 2026 |
| CVE-2026-59793 | HIGH | 8.8 | In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration | Jul 10, 2026 |
| CVE-2026-59792 | CRITICAL | 9.6 | In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible | Jul 10, 2026 |
| CVE-2026-59791 | LOW | 3.5 | In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible | Jul 10, 2026 |
| CVE-2026-58661 | UNKNOWN | — | n8n before 2.28.0 (and before 1.123.58 on the 1.x branch) contains a disk space exhaustion vulnerability in the data-table file upload endpoint. The per-request quota … | Jul 10, 2026 |
| CVE-2026-57994 | MEDIUM | 5.3 | phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive (draft or review-only) FAQ … | Jul 10, 2026 |
| CVE-2026-57961 | LOW | 2.7 | phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML … | Jul 10, 2026 |
| CVE-2026-56765 | CRITICAL | 9.8 | Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. … | Jul 10, 2026 |
| CVE-2026-56373 | LOW | 3.7 | ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails. Attackers can trigger this vulnerability … | Jul 10, 2026 |
| CVE-2026-56366 | LOW | 3.3 | ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. Attackers can trigger this memory leak by providing … | Jul 10, 2026 |
| CVE-2026-56354 | MEDIUM | 4.1 | n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to … | Jul 10, 2026 |
| CVE-2026-56335 | MEDIUM | 6.5 | Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null … | Jul 10, 2026 |
| CVE-2026-56329 | MEDIUM | 6.4 | Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can … | Jul 10, 2026 |
| CVE-2026-56312 | MEDIUM | 6.5 | Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha … | Jul 10, 2026 |
| CVE-2026-56309 | MEDIUM | 5.4 | Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary … | Jul 10, 2026 |
| CVE-2026-56305 | HIGH | 8.3 | Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. … | Jul 10, 2026 |
| CVE-2026-56279 | HIGH | 7.5 | Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can … | Jul 10, 2026 |
| CVE-2026-56261 | HIGH | 8.6 | Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination … | Jul 10, 2026 |
| CVE-2026-56254 | HIGH | 7.0 | In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can … | Jul 10, 2026 |
| CVE-2026-38059 | HIGH | 7.5 | The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including … | Jul 10, 2026 |
| CVE-2026-38057 | HIGH | 8.1 | The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session … | Jul 10, 2026 |