Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23329
Total
1657
Critical
7330
High
7410
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-60092 | MEDIUM | 6.1 | AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, … | Jul 08, 2026 |
| CVE-2026-59257 | HIGH | 8.8 | n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation … | Jul 08, 2026 |
| CVE-2026-59253 | MEDIUM | 5.0 | n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder … | Jul 08, 2026 |
| CVE-2026-58657 | MEDIUM | 4.8 | Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media … | Jul 08, 2026 |
| CVE-2026-58656 | HIGH | 7.5 | Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully … | Jul 08, 2026 |
| CVE-2026-58654 | MEDIUM | 4.3 | The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint (/api/v1/users/user/avatar). The endpoint validates only the client-declared MIME … | Jul 08, 2026 |
| CVE-2026-58480 | CRITICAL | 9.8 | Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension … | Jul 08, 2026 |
| CVE-2026-56778 | MEDIUM | 6.4 | n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execution retry endpoint, which authorizes access using the workflow:read scope … | Jul 08, 2026 |
| CVE-2026-56776 | HIGH | 7.4 | n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/{workflowId}/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. … | Jul 08, 2026 |
| CVE-2026-56775 | MEDIUM | 5.4 | n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead … | Jul 08, 2026 |
| CVE-2026-56401 | MEDIUM | 6.5 | Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in inventory_sync FlatBuffer DataValue handling. An enrolled agent can send a verifier-valid DataValue message omitting … | Jul 08, 2026 |
| CVE-2026-56374 | LOW | 3.3 | ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger … | Jul 08, 2026 |
| CVE-2026-56362 | LOW | 3.3 | ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger … | Jul 08, 2026 |
| CVE-2026-56360 | MEDIUM | 4.0 | n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can … | Jul 08, 2026 |
| CVE-2026-56359 | MEDIUM | 5.4 | n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization … | Jul 08, 2026 |
| CVE-2026-56298 | MEDIUM | 4.3 | Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing … | Jul 08, 2026 |
| CVE-2026-56297 | HIGH | 7.0 | FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a … | Jul 08, 2026 |
| CVE-2026-56293 | MEDIUM | 5.4 | Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to … | Jul 08, 2026 |
| CVE-2026-56284 | MEDIUM | 5.3 | Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only … | Jul 08, 2026 |
| CVE-2026-56283 | MEDIUM | 5.4 | Capgo before 12.128.2 contains an html injection vulnerability in the organization settings endpoint that allows attackers to inject malicious HTML content. Attackers can craft payloads … | Jul 08, 2026 |
| CVE-2026-56273 | MEDIUM | 6.5 | Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with … | Jul 08, 2026 |
| CVE-2026-56250 | HIGH | 7.5 | Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable app_versions.r2_path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch … | Jul 08, 2026 |
| CVE-2026-56246 | HIGH | 8.1 | Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing … | Jul 08, 2026 |
| CVE-2026-56226 | HIGH | 7.5 | Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. … | Jul 08, 2026 |
| CVE-2026-56220 | MEDIUM | 6.5 | Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with … | Jul 08, 2026 |