Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-54516 — jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() all…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-54515 — jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnorePrope…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextua…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2026-54514 — jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed I…

jackson-databind | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
8.1 HIGH
CVE-2026-54513 — jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowI…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jul 02, 2026
Jun 23, 2026
Jul 02, 2026
8.1 HIGH
CVE-2026-54512 — jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbi…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeVali…

jackson-databind | Remote | Misconfiguration
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
6.9 MEDIUM
CVE-2026-53931 — NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable …

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53930 — NocoDB: Server-Side Request Forgery via Base Migration URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing prot…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53929 — NocoDB: Stored Cross-Site Scripting via Secure Attachment

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rend…

nocodb | Remote | Misconfiguration
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-53928 — NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset th…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53927 — NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in t…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-53926 — NocoDB: OAuth Tokens Persist Through Security Events

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and p…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-50193 — jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends …

jackson-databind | Remote | Denial of Service
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
2.3 LOW
CVE-2026-47388 — NocoDB: Missing Ownership Check in MCP Attachment Read

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including a…

nocodb | Remote | Authorization
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.4 HIGH
CVE-2026-47387 — NocoDB: Stored Cross-Site Scripting via Form View Redirect URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's …

nocodb | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-47386 — NocoDB: OAuth Authorization Code Race Condition

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-47385 — NocoDB: Path Traversal via SQLite Source Filename

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB…

nocodb | Remote | Path Traversal
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-47384 — NocoDB: SQL Injection via Column Title in Bulk GroupBy

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's …

nocodb | Remote | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.4 HIGH
CVE-2026-47383 — NocoDB: Stored Cross-Site Scripting via Row Comments

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the co…

nocodb | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-47382 — NocoDB: Server-Side Request Forgery via Database Connection Host

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-chec…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.9 MEDIUM
CVE-2026-47381 — NocoDB: Cross-Workspace Integration Use in Connection Test

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying …

nocodb | Remote | Authorization
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
Showing 20 of 7989 Results