Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.5 MEDIUM
CVE-2026-12163 — Stored XSS in Fortra File Integrity Monitoring (FIM)

Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. An authentica…

file_integrity_monitoring | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 28, 2026
Jun 23, 2026
Jun 28, 2026
8.2 HIGH
CVE-2026-11972 — tarfile opened in streaming mode mishandles EOF

When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.

python cpython cpython | Remote | Denial of Service
Jun 23, 2026 Jun 30, 2026
Jun 23, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-54518 — jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreato…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
6.2 MEDIUM
CVE-2026-9073 — Foreman-mcp-server: mcp server: insecure sensitive http header sanitization

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, whic…

satellite satellite | Information Disclosure
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-54517 — jackson-databind: @JsonView bypass for setterless creator properties

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBa…

jackson-databind | Remote | Authorization
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-54516 — jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() all…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-54515 — jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnorePrope…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextua…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2026-54514 — jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed I…

jackson-databind | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
8.1 HIGH
CVE-2026-54513 — jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowI…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jul 02, 2026
Jun 23, 2026
Jul 02, 2026
8.1 HIGH
CVE-2026-54512 — jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbi…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeVali…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
6.9 MEDIUM
CVE-2026-53931 — NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable …

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53930 — NocoDB: Server-Side Request Forgery via Base Migration URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing prot…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53929 — NocoDB: Stored Cross-Site Scripting via Secure Attachment

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rend…

nocodb | Remote | Misconfiguration
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-53928 — NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset th…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53927 — NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in t…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-53926 — NocoDB: OAuth Tokens Persist Through Security Events

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and p…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-50193 — jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends …

jackson-databind | Remote | Denial of Service
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
2.3 LOW
CVE-2026-47388 — NocoDB: Missing Ownership Check in MCP Attachment Read

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including a…

nocodb | Remote | Authorization
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.4 HIGH
CVE-2026-47387 — NocoDB: Stored Cross-Site Scripting via Form View Redirect URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's …

nocodb | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-47386 — NocoDB: OAuth Authorization Code Race Condition

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
Showing 20 of 8012 Results