Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.7 HIGH
CVE-2026-34044 — Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34037 — Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the sou…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34035 — Coolify: Host RCE via Log Drain secret/env command injection

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell comma…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34034 — Coolify: Host RCE via Sentinel token injection

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient va…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-11328 — Exclusive Addons for Elementor <= 2.7.9.8 - Authenticated (Contributor+) Stored Cross-Sit…

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient inp…

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.1 MEDIUM
CVE-2026-53648 — FOSSBilling: Downloadable product files can be overwritten through filename collisions

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrat…

Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.9 MEDIUM
CVE-2026-53647 — FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serv…

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any cal…

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.3 MEDIUM
CVE-2026-13356 — Interrupted navigation could allow address bar origin spoofing in Firefox for iOS

A malicious webpage could interrupt a pending navigation by enqueuing a synchronous JavaScript dialog, causing the browser UI to display the destination origin in the address bar while continuing to …

Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.0 MEDIUM
CVE-2024-56141 — Minosoft has IV equal to key

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager  encryption routine ( CryptMan…

Remote | Cryptography
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.7 HIGH
CVE-2026-53646 — FOSSBilling: Client password reset token reuse allows persistent account takeover

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a `ClientPasswordReset` record already exists for a client (from a previous unexpired re…

Remote | Authentication
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
8.5 HIGH
CVE-2026-53645 — FOSSBilling's missing self-edit prevention in staff permission management allows persiste…

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
8.6 HIGH
CVE-2026-53644 — FOSSBilling's missing order-state validation allows clients to read and reset API key sec…

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
8.7 HIGH
CVE-2026-53643 — FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admi…

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root …

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-53642 — FOSSBilling: Unverified clients can access client-area pages when email confirmation is r…

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverifi…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
4.8 MEDIUM
CVE-2026-53641 — FOSSBilling has stored XSS in client email views via unescaped content in JavaScript temp…

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views o…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
2.3 LOW
CVE-2026-53640 — FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitiv…

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission che…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.1 MEDIUM
CVE-2026-59710 — showdown - Stored XSS via Unescaped Table Header ID Attribute Injection

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
2.3 LOW
CVE-2026-43928 — FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpaym…

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount (`mc_…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.9 MEDIUM
CVE-2026-43927 — FOSSBilling has race condition in cart checkout that bypasses promo code usage limits

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond…

Remote | Race Condition
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.9 MEDIUM
CVE-2026-43925 — FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized…

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any v…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
Showing 20 of 7588 Results