Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-59793 — JetBrains TeamCity Perforce VCS Integration Arbitrary File Access Vulnerability

In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration

teamcity | Remote | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.6 CRITICAL
CVE-2026-59792 — JetBrains IntelliJ IDEA Path Traversal Remote Code Execution

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible

intellij_idea | Remote | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
3.5 LOW
CVE-2026-59791 — JetBrains YouTrack CSS Injection

In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible

youtrack | Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.3 MEDIUM
CVE-2026-58661 — n8n - Disk Space Exhaustion via Data-Table File Upload Endpoint

n8n before 2.28.0 (and before 1.123.58 on the 1.x branch) contains a disk space exhaustion vulnerability in the data-table file upload endpoint. The per-request quota check does not account for files…

Remote | Denial of Service
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.9 MEDIUM
CVE-2026-57994 — phpMyFAQ - Information Disclosure of Inactive FAQ Content via Public API Endpoints

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive (draft or review-only…

Remote | Information Disclosure
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.1 MEDIUM
CVE-2026-57961 — phpMyFAQ - Authenticated Path Traversal in PDF Export via concatenatePaths Function

phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths() function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges…

Remote | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.8 CRITICAL
CVE-2026-56765 — Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chaine…

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The Ge…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.3 MEDIUM
CVE-2026-56373 — ImageMagick - Use-After-Free Write in PDB Decoder

ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails. Attackers can trigger this vulnerability by processing m…

Remote | Memory Corruption
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.8 MEDIUM
CVE-2026-56366 — ImageMagick - Memory Leak in META Reader APP1JPEG Error Path

ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. Attackers can trigger this memory leak by providing specially crafted APP1JPE…

| Memory Corruption
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.1 MEDIUM
CVE-2026-56354 — n8n - Cross-Site Scripting and Open Redirect in Form Node

n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields a…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.1 HIGH
CVE-2026-56335 — Capgo - Channel Configuration Mutation via Write-Scoped API Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null auth…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.4 MEDIUM
CVE-2026-56329 — Capgo - Cross-Tenant Preview Namespace Collision via Non-Bijective Underscore Decoding

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can regis…

Remote | Misconfiguration
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.9 MEDIUM
CVE-2026-56312 — Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint

Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha pr…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.4 MEDIUM
CVE-2026-56309 — Capgo - Plan Bypass via Unrestricted Attachment Upload Endpoint

Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbit…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-56305 — Capgo - Authentication Bypass in Password Change via Missing Current Password Validation

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. A…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-56279 — Capgo - Information Disclosure via get_orgs_v7 RPC Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticate…

Remote | Information Disclosure
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.2 CRITICAL
CVE-2026-56261 — Crawl4AI - Server-Side Request Forgery via Webhook URLs

Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validatio…

Remote | Server-Side Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.3 HIGH
CVE-2026-56254 — capacitor-updater - End-to-End Encryption Bypass via Private Key Distribution

In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived f…

Remote | Cryptography
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-38059 — ST Engineering iDirect iQ-Series Terminals Missing authentication for critical function

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including th…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.1 HIGH
CVE-2026-38057 — ST Engineering iDirect iQ-Series Terminals Cross-Site request forgery

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lack…

Remote | Cross-Site Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
Showing 20 of 7354 Results