Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.4 MEDIUM
CVE-2026-10660 — Shared reassembly buffer in Bluetooth BAP Broadcast Assistant enables cross-connection me…

The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf…

zephyr zephyr | Memory Corruption
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
2.9 LOW
CVE-2026-61870 — ImageMagick before 7.1.2-26 Memory Leak via VIFF Encoder

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails. Attackers can trigger allocation failures by processing specially crafted VIFF image…

| Memory Corruption
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
3.7 LOW
CVE-2026-61861 — ImageMagick before 7.1.2-26 Use-After-Free in FormatMagickCaption

ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption method when memory allocation fails. Attackers can trigger memory allocation failures to cause a danglin…

Remote | Memory Corruption
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
3.3 LOW
CVE-2026-61858 — ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypass…

| Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
3.7 LOW
CVE-2026-61857 — ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP

ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP d…

Remote | Memory Corruption
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
3.3 LOW
CVE-2026-61465 — ImageMagick before 7.1.2-26 Memory Allocation Policy Bypass

ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. An attacker can supply a crafted image that causes Ima…

| Denial of Service
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-61454 — Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This o…

grav | Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
2.1 LOW
CVE-2026-61448 — Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime pac…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
10.0 CRITICAL
CVE-2026-61447 — PraisonAI before 1.6.78 Remote Code Execution via CodeAgent

PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox e…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
9.9 CRITICAL
CVE-2026-61445 — PraisonAI before 4.6.78 Arbitrary File Write and Command Execution

PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM tool calls. Attacke…

Remote | Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.1 HIGH
CVE-2026-61442 — PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH

PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A works…

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.5 HIGH
CVE-2026-61439 — PraisonAI before 4.6.78 Prompt Injection Defense Bypass

PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. At…

Remote | Misconfiguration
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.5 HIGH
CVE-2026-61429 — PraisonAI before 1.6.78 SSRF via Crawl4AI Chromium backend

PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and H…

Remote | Server-Side Request Forgery
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.3 HIGH
CVE-2026-61428 — PraisonAI AgentMail before 4.6.78 Message Injection via Webhook

PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.6 HIGH
CVE-2026-61426 — PraisonAI before 1.7.3 Unauthenticated Agent Access via Insecure Defaults

PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to rea…

Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
9.8 CRITICAL
CVE-2026-60090 — PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends. Although schema, keyspace, and collectio…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.5 MEDIUM
CVE-2026-60088 — PraisonAI before 4.6.78 Path Traversal via Custom Commands

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like…

| Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.8 MEDIUM
CVE-2026-56763 — Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option

Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged…

Remote | Misconfiguration
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
3.3 LOW
CVE-2026-56372 — ImageMagick - Heap Buffer Overflow Read via Unrecognized Magnify Method

ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify operation that allows attackers to read out of bounds memory. An unrecognized magnify:method value triggers an…

| Memory Corruption
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.5 HIGH
CVE-2026-56303 — Capgo - Unauthenticated API Key Metadata Disclosure via SECURITY DEFINER RPC Function

Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attacke…

Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
Showing 20 of 7402 Results