Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-51946 — GoAdminGroup GoAdmin SQL Injection

SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the the __sort_type URL parameter on…

Remote | Injection
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.2 MEDIUM
CVE-2026-36909 — MPC-BE NULL Pointer Dereference Denial of Service

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
5.5 MEDIUM
CVE-2026-36910 — MPC-BE Out-of-Bounds Read Denial of Service

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
5.5 MEDIUM
CVE-2026-36911 — Aleksoid MPC-BE division-by-zero Denial of Service

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a craf…

| Denial of Service
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-56700 — Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command …

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize u…

grav-plugin-admin | Remote | Injection
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
10.0 CRITICAL
CVE-2026-56415 — OS Command Injection in StoneFly Storage Concentrator

Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP …

storage_concentrator | Remote | Injection
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
10.0 CRITICAL
CVE-2026-56413 — OS Command Injection in StoneFly Storage Concentrator

Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform devic…

storage_concentrator | Remote | Injection
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-56334 — Capgo - Missing UPDATE RLS Policy for Build Status Persistence

Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit thi…

Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-56333 — Capgo - Server-Side Validation Bypass via Direct Browser-Side Organization Security Setti…

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers…

Remote | Misconfiguration
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.9 MEDIUM
CVE-2026-56331 — Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String

Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can t…

Remote | Misconfiguration
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.1 HIGH
CVE-2026-56328 — Capgo - Integrity Issue in Release Routing via Multiple Public Channels

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hi…

Remote | Misconfiguration
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.9 MEDIUM
CVE-2026-56327 — Capgo - Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by obser…

Remote | Information Disclosure
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.1 HIGH
CVE-2026-56320 — Capgo - Org/App Scope Mismatch in Device Creation Endpoint

Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. …

Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.9 MEDIUM
CVE-2026-56318 — Capgo - Information Disclosure via /private/validate_password_compliance Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and ex…

Remote | Information Disclosure
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.7 HIGH
CVE-2026-56300 — Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions

Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated at…

Remote | Authentication
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.1 HIGH
CVE-2026-56286 — Capgo - Account Deletion Without Password Confirmation

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can…

Remote | Authentication
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.3 CRITICAL
CVE-2026-56278 — Flowise - Session Hijacking via Weak Default Express Session Secret

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is…

flowise | Remote | Authentication
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.9 MEDIUM
CVE-2026-56277 — Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independen…

flowise | Remote | Misconfiguration
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.2 CRITICAL
CVE-2026-56264 — Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the se…

crawl4ai | Remote | Authentication
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.6 HIGH
CVE-2026-56249 — Capgo - Unauthorized Channel Overwrite and Ownership Takeover via POST /channel Name Coll…

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers …

Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
Showing 20 of 8012 Results