Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

22832
Total
1629
Critical
7118
High
7284
Medium
CVE ID Severity Score Description Published
CVE-2026-60089 MEDIUM 5.5 PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A … Jul 10, 2026
CVE-2026-60086 MEDIUM 5.3 PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector … Jul 10, 2026
CVE-2026-59796 HIGH 8.1 In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks Jul 10, 2026
CVE-2026-59795 HIGH 8.1 In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible Jul 10, 2026
CVE-2026-59794 HIGH 7.3 In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data Jul 10, 2026
CVE-2026-59793 HIGH 8.8 In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration Jul 10, 2026
CVE-2026-59792 CRITICAL 9.6 In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible Jul 10, 2026
CVE-2026-59791 LOW 3.5 In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible Jul 10, 2026
CVE-2026-58661 UNKNOWN n8n before 2.28.0 (and before 1.123.58 on the 1.x branch) contains a disk space exhaustion vulnerability in the data-table file upload endpoint. The per-request quota … Jul 10, 2026
CVE-2026-57994 MEDIUM 5.3 phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive (draft or review-only) FAQ … Jul 10, 2026
CVE-2026-57961 LOW 2.7 phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML … Jul 10, 2026
CVE-2026-56765 CRITICAL 9.8 Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. … Jul 10, 2026
CVE-2026-56373 LOW 3.7 ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails. Attackers can trigger this vulnerability … Jul 10, 2026
CVE-2026-56366 LOW 3.3 ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. Attackers can trigger this memory leak by providing … Jul 10, 2026
CVE-2026-56354 MEDIUM 4.1 n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to … Jul 10, 2026
CVE-2026-56335 MEDIUM 6.5 Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null … Jul 10, 2026
CVE-2026-56329 MEDIUM 6.4 Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can … Jul 10, 2026
CVE-2026-56312 MEDIUM 6.5 Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha … Jul 10, 2026
CVE-2026-56309 MEDIUM 5.4 Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary … Jul 10, 2026
CVE-2026-56305 HIGH 8.3 Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. … Jul 10, 2026
CVE-2026-56279 HIGH 7.5 Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can … Jul 10, 2026
CVE-2026-56261 HIGH 8.6 Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination … Jul 10, 2026
CVE-2026-56254 HIGH 7.0 In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can … Jul 10, 2026
CVE-2026-38059 HIGH 7.5 The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including … Jul 10, 2026
CVE-2026-38057 HIGH 8.1 The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session … Jul 10, 2026