Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-41899 — Coolify unauthenticated feedback endpoint allows Discord webhook abuse

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input v…

coolify | Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
0.0 NA
CVE-2026-38979 — Ajenti Clickjacking Vulnerability

ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards…

| Misconfiguration
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
0.0 NA
CVE-2026-38976 — mruby/c NULL Pointer Dereference

mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in op_super() / OP_SUPER due to a missing runtime guard for top-level super.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
0.0 NA
CVE-2026-38973 — mruby/c Out-of-Bounds Read

mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-34599 — Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs L…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.0 MEDIUM
CVE-2026-34167 — Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityM…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId proper…

coolify | Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-34153 — Coolify LocalFileVolume fs_path command injection enables RCE

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-34050 — Coolify Settings/Updates Livewire component missing instance administrator authorization

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in …

coolify | Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
3.3 LOW
CVE-2026-34049 — Coolify: Command Injection via unsanitized MongoDB collection names in database backup

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names d…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-32718 — Coolify read-scoped API tokens can perform state-changing validation operations

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing re…

coolify | Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.6 HIGH
CVE-2026-59713 — Leantime - OIDC Login CSRF via Unconditional State Verification Stub

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with …

Remote | Cross-Site Request Forgery
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.6 HIGH
CVE-2026-59712 — Leantime - Credential Disclosure via Unauthenticated JSON-RPC users.getUser Method

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and…

Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.1 MEDIUM
CVE-2026-59711 — showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.6 HIGH
CVE-2026-57573 — Crawl4AI unauthenticated SSRF in Docker streaming crawl endpoint

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server applied its SSRF destination check on the non-streaming /crawl path but not on the streaming pat…

Remote | Server-Side Request Forgery
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
10.0 CRITICAL
CVE-2026-57572 — Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.ex…

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch argumen…

Remote | Misconfiguration
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
9.6 CRITICAL
CVE-2026-57571 — Crawl4AI arbitrary file write via download filename path traversal

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined…

Remote | Path Traversal
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.5 HIGH
CVE-2026-55727 — Genetec Security Center Authentication Bypass Vulnerability

A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14.0.0 prior to build 5.14.178.18 may allow an unauthenticated attacker to access live video streams.

security_center | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.7 HIGH
CVE-2026-55574 — vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outline…

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string dire…

vllm | Remote | Denial of Service
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.1 HIGH
CVE-2026-55514 — vLLM denial of service via prompt embeds on M-RoPE models

vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an…

vllm | Remote | Denial of Service
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.3 MEDIUM
CVE-2026-54765 — Traefik: Gateway HTTPRoute backendRef filters can leak backend context across routes shar…

Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend…

Remote | Misconfiguration
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
Showing 20 of 7552 Results