Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-9772 — Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability

Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentic…

unraid | Injection
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
8.1 HIGH
CVE-2026-55762 — Rocket.Chat: Any Authenticated User Can Permanently Deregister Workspace from Rocket.Chat…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces …

rocket.chat rocket.chat | Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.4 HIGH
CVE-2026-55759 — Rocket.Chat: Apple Sign-In skips JWT claims validation, allowing expired and cross-audien…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT sig…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
9.3 CRITICAL
CVE-2026-55666 — Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, han…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 29, 2026
Jun 24, 2026
Jun 29, 2026
9.0 CRITICAL
CVE-2026-55570 — SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj`…

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj …

siyuan | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-55455 — Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugin…

appsmith | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
9.9 CRITICAL
CVE-2026-55454 — Appsmith: Caddy admin API exposed without authentication

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:…

appsmith | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-54759 — SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to a…

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security …

siyuan | Remote | Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.9 CRITICAL
CVE-2026-54158 — SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, …

siyuan | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-54070 — SiYuan: Stored XSS in Bazaar marketplace via package README event handlers

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engin…

siyuan | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
9.2 CRITICAL
CVE-2026-54069 — SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator acce…

siyuan | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.9 MEDIUM
CVE-2026-54068 — SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getD…

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "…

siyuan | Remote | Information Disclosure
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.9 CRITICAL
CVE-2026-54067 — SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing </style> breaks out of its surrounding <style> tag when renderSnippet() interpolates it via …

siyuan | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-54066 — SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary f…

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical r…

siyuan | Remote | Path Traversal
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.1 MEDIUM
CVE-2026-53766 — chrome-devtools-mcp: validatePath() does not canonicalize symlinks before enforcing roots

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by check…

chrome-devtools-mcp | Path Traversal
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2026-53765 — chrome-devtools-mcp: daemon.pid write follows symlinks in /tmp fallback runtime directory

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.20.0 until 1.1.0, The chrome-devtools-mcp daemon writes its PID file with fs.…

chrome-devtools-mcp | Misconfiguration
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-52794 — Sentry: Inefficient Regular Expression Complexity in sentry

Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where …

sentry | Remote | Denial of Service
Jun 24, 2026 Jun 27, 2026
Jun 24, 2026
Jun 27, 2026
9.9 CRITICAL
CVE-2026-50551 — SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer t…

siyuan | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.9 HIGH
CVE-2026-50189 — Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the contai…

appsmith | Remote | Misconfiguration
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
5.1 MEDIUM
CVE-2026-49979 — Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP …

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values a…

appsmith | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 29, 2026
Jun 24, 2026
Jun 29, 2026
Showing 20 of 7970 Results