Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23329
Total
1657
Critical
7330
High
7410
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-3110 | UNKNOWN | — | OpenVPN Access Server 2.7.2 through 3.1.0 accepts bare line-feed sequences inside HTTP header values, allowing remote attackers to perform HTTP request smuggling when deployed behind … | Jul 08, 2026 |
| CVE-2026-9074 | CRITICAL | 9.1 | IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality. | Jul 08, 2026 |
| CVE-2026-59880 | UNKNOWN | — | Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a … | Jul 08, 2026 |
| CVE-2026-59877 | MEDIUM | 5.3 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an … | Jul 08, 2026 |
| CVE-2026-59876 | MEDIUM | 4.8 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, … | Jul 08, 2026 |
| CVE-2026-59875 | MEDIUM | 5.3 | node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in … | Jul 08, 2026 |
| CVE-2026-59874 | UNKNOWN | — | node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, … | Jul 08, 2026 |
| CVE-2026-59873 | UNKNOWN | — | node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, … | Jul 08, 2026 |
| CVE-2026-59871 | MEDIUM | 5.3 | node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, … | Jul 08, 2026 |
| CVE-2026-59870 | MEDIUM | 5.3 | js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a … | Jul 08, 2026 |
| CVE-2026-59869 | HIGH | 7.5 | js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a … | Jul 08, 2026 |
| CVE-2026-59868 | MEDIUM | 5.3 | js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a … | Jul 08, 2026 |
| CVE-2026-59725 | HIGH | 7.5 | Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response … | Jul 08, 2026 |
| CVE-2026-59724 | HIGH | 7.5 | Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such … | Jul 08, 2026 |
| CVE-2026-59702 | CRITICAL | 9.3 | repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to … | Jul 08, 2026 |
| CVE-2026-59262 | MEDIUM | 6.5 | AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can … | Jul 08, 2026 |
| CVE-2026-57439 | MEDIUM | 5.0 | CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while … | Jul 08, 2026 |
| CVE-2026-55761 | UNKNOWN | — | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In … | Jul 08, 2026 |
| CVE-2026-54344 | MEDIUM | 4.7 | ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional … | Jul 08, 2026 |
| CVE-2026-53951 | UNKNOWN | — | Copier is a library and CLI app for rendering project templates. In versions 9.5.0 through 9.15.1, the `trust` setting's prefix match (`copier/_settings.py`) compares the template … | Jul 08, 2026 |
| CVE-2026-49946 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Jul 08, 2026 |
| CVE-2026-49945 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Jul 08, 2026 |
| CVE-2026-49944 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Jul 08, 2026 |
| CVE-2026-3144 | HIGH | 8.1 | IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unauthorized access to the application before the system enforces … | Jul 08, 2026 |
| CVE-2026-15063 | MEDIUM | 6.3 | A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied … | Jul 08, 2026 |