Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-59710 — showdown - Stored XSS via Unescaped Table Header ID Attribute Injection

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
2.3 LOW
CVE-2026-43928 — FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpaym…

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount (`mc_…

Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.9 MEDIUM
CVE-2026-43927 — FOSSBilling has race condition in cart checkout that bypasses promo code usage limits

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond…

Remote | Race Condition
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.9 MEDIUM
CVE-2026-43925 — FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized…

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any v…

Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.9 HIGH
CVE-2026-43921 — FOSSBilling vulnerable to arbitrary PHP code injection via unescaped config serialization

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` metho…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.7 HIGH
CVE-2026-43918 — Suspended or inactive FOSSBilling accounts can retain or regain access through existing s…

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions …

Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-42204 — Coolify: Authenticated RCE via SHELL_SAFE_COMMAND_PATTERN regression → host root

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampe…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-42153 — Coolify: PostgreSQL Healthcheck Command Injection Allows Root Code Execution in Container

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled databas…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
3.8 LOW
CVE-2026-42148 — Coolify: Command Injection via Unescaped Version String in Docker Build

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs …

coolify | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-41899 — Coolify unauthenticated feedback endpoint allows Discord webhook abuse

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input v…

coolify | Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
0.0 NA
CVE-2026-38979 — Ajenti Clickjacking Vulnerability

ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards…

| Misconfiguration
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
0.0 NA
CVE-2026-38976 — mruby/c NULL Pointer Dereference

mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in op_super() / OP_SUPER due to a missing runtime guard for top-level super.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
0.0 NA
CVE-2026-38973 — mruby/c Out-of-Bounds Read

mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-34599 — Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs L…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.0 MEDIUM
CVE-2026-34167 — Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityM…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId proper…

coolify | Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-34153 — Coolify LocalFileVolume fs_path command injection enables RCE

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-34050 — Coolify Settings/Updates Livewire component missing instance administrator authorization

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in …

coolify | Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
3.3 LOW
CVE-2026-34049 — Coolify: Command Injection via unsanitized MongoDB collection names in database backup

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names d…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-32718 — Coolify read-scoped API tokens can perform state-changing validation operations

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing re…

coolify | Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.6 HIGH
CVE-2026-59713 — Leantime - OIDC Login CSRF via Unconditional State Verification Stub

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with …

Remote | Cross-Site Request Forgery
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
Showing 20 of 7526 Results