Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-59705 — mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints

mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers regi…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-59704 — Cap - Missing Access Control in Video AI Metadata Endpoint

Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can suppl…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-55078 — Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` conver…

coder | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.2 HIGH
CVE-2026-55077 — Coder: User-admin role can reset owner account password

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorize…

coder | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.4 HIGH
CVE-2026-55076 — Coder's OIDC email_verified type coercion bypass enables account takeover via unverified …

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a dire…

coder | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-51937 — Oneblog Information Disclosure Vulnerability

An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component

| Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-50811 — FreeType Out-of-Bounds Read Vulnerability

An out-of-bounds read vulnerability exists in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation us…

| Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-50810 — GPAC NULL Pointer Dereference Denial of Service

A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of ser…

| Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-37271 — Fire-Boltt Smartwatch Improper Authentication Vulnerability

Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session v…

| Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-37270 — Trueview Security Camera Authentication Bypass

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

| Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-36163 — LiquidFiles Stored Cross-Site Scripting Vulnerability

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading…

| Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-36162 — LiquidFiles Upload File Shares API Stored Cross-Site Scripting

An authenticated stored cross-site scripting (XSS) vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via injecting a crafted p…

| Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-14895 — String::Util versions before 1.36 for Perl are susceptible to a regular expression denial…

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches gr…

| Denial of Service
Jul 07, 2026 Jul 08, 2026
Jul 07, 2026
Jul 08, 2026
0.0 NA
CVE-2026-14740 — DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting …

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a c…

| Memory Corruption
Jul 07, 2026 Jul 08, 2026
Jul 07, 2026
Jul 08, 2026
0.0 NA
CVE-2026-14739 — DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements wi…

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle app…

| Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-14380 — DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced…

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and…

| Injection
Jul 07, 2026 Jul 08, 2026
Jul 07, 2026
Jul 08, 2026
9.3 CRITICAL
CVE-2026-59706 — mem0 - Server-Side Request Forgery and Plaintext API Key Exposure via Unauthenticated Con…

mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attac…

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
2.1 LOW
CVE-2026-59153 — Anki's local HTTP server does not sufficiently validate requests

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other ori…

anki | Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-58266 — Anki: User scripts in iframes have access to the internal Anki API

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via …

anki | Remote | Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-55490 — OpenWrt: EAD Integer Underflow → Pre-Auth Denial of Service

OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the loca…

| Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7681 Results