Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22874
Total
1630
Critical
7150
High
7293
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-53963 | HIGH | 7.3 | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped … | Jul 09, 2026 |
| CVE-2026-53962 | MEDIUM | 5.4 | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to … | Jul 09, 2026 |
| CVE-2026-53961 | MEDIUM | 6.5 | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages … | Jul 09, 2026 |
| CVE-2026-49256 | UNKNOWN | — | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, … | Jul 09, 2026 |
| CVE-2026-46413 | MEDIUM | 6.5 | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the … | Jul 09, 2026 |
| CVE-2026-45788 | UNKNOWN | — | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the … | Jul 09, 2026 |
| CVE-2026-45780 | MEDIUM | 5.3 | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to … | Jul 09, 2026 |
| CVE-2026-44787 | HIGH | 8.2 | Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and … | Jul 09, 2026 |
| CVE-2026-39246 | UNKNOWN | — | decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed … | Jul 09, 2026 |
| CVE-2026-39245 | MEDIUM | 6.2 | decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function (index.js line 29) and the … | Jul 09, 2026 |
| CVE-2026-39243 | MEDIUM | 5.5 | decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the … | Jul 09, 2026 |
| CVE-2026-38076 | UNKNOWN | — | An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | Jul 09, 2026 |
| CVE-2026-33803 | MEDIUM | 6.5 | An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited … | Jul 09, 2026 |
| CVE-2026-33802 | MEDIUM | 5.5 | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on EX Series allows a local, authenticated attacker to cause a Denial-of-Service (DoS). … | Jul 09, 2026 |
| CVE-2026-15276 | LOW | 3.3 | A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial … | Jul 09, 2026 |
| CVE-2026-15274 | LOW | 3.3 | A vulnerability was detected in lo48576 fbxcel up to 0.9.0. This affects an unknown part of the file src/pull_parser/v7400/parser.rs of the component Node Header Handler. … | Jul 09, 2026 |
| CVE-2026-15271 | HIGH | 7.5 | A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some … | Jul 09, 2026 |
| CVE-2026-60120 | MEDIUM | 5.4 | Bagisto before 2.4.4 contains a stored cross-site scripting vulnerability via client-side template injection that allows unauthenticated attackers to execute arbitrary JavaScript in administrator browsers by … | Jul 09, 2026 |
| CVE-2026-55865 | UNKNOWN | — | Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.1, given a malformed {% case %} tag without an associated {% … | Jul 09, 2026 |
| CVE-2026-55212 | HIGH | 7.1 | Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is … | Jul 09, 2026 |
| CVE-2026-55208 | HIGH | 7.7 | Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash … | Jul 09, 2026 |
| CVE-2026-55207 | HIGH | 8.8 | Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can … | Jul 09, 2026 |
| CVE-2026-51926 | UNKNOWN | — | An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in … | Jul 09, 2026 |
| CVE-2026-51925 | HIGH | 8.1 | A Local File Inclusion (LFI) vulnerability exists in docuForm GmbH Client v.11.11c that allows a remote attacker to execute arbitrary code via the dfm-menu_report.php component. … | Jul 09, 2026 |
| CVE-2026-51924 | HIGH | 8.1 | An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file upload and report.php component | Jul 09, 2026 |