Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.6 MEDIUM
CVE-2026-46672 — Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `esca…

Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed,…

actual | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.1 HIGH
CVE-2026-44454 — Coder vulnerable to workspace auto-creation via crafted URL parameters without user conse…

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell comma…

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.5 MEDIUM
CVE-2026-58468 — NocoBase 2.1.20 Server-Side Request Forgery via serverRequest wrapper

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplyi…

Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-44877 — Unauthenticated Remote Disclosure of Cryptographic Secrets

An unauthenticated remote disclosure vulnerability has been identified in HPE Networking Instant On 1830, 1930, and 1960 Switches. Successful exploitation of this vulnerability could allow an unauthe…

Remote | Cryptography
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-7017 — HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redi…

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_…

Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-59800 — 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install E…

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher,…

Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.7 HIGH
CVE-2026-59708 — Ghostfolio - Unauthorized Portfolio Data Exposure via Public Endpoint

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attack…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.4 MEDIUM
CVE-2026-55435 — Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authentic…

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48958 — Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48957 — Joomla! Core - [20260711] - Incorrect Access Control in com_privacy webservice endpoints

An improper access check allows unauthorized users to access com_privacy datasets.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48956 — Joomla! Core - [20260710] - Incorrect Access Control in com_modules

An improper access check allows users to display a list of modules in the frontend.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48955 — Joomla! Core - [20260709] - Incorrect Access Control in com_workflow

An improper access check allows unauthorized users to access workflow stage and transition information.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48954 — Joomla! Core - [20260708] - XSS through language overrides

Improper validation leads to a generic XSS vector in the language override feature.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48953 — Joomla! Core - [20260707] - XSS in the generic image output layout

Lack of escaping leads to an XSS vulnerability in the generic image output layout.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48952 — Joomla! Core - [20260706] - XSS in com_installer

Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48951 — Joomla! Core - [20260705] - XSS in various modalreturn layouts

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48950 — Joomla! Core - [20260704] - XSS in com_templates

Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48949 — Joomla! Core - [20260703] - XSS in MFA method management

Lack of validation leads to an XSS vulnerability in the MFA management views.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48948 — Joomla! Core - [20260702] - Incorrect Access Control in com_contact vcf download

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48947 — Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints

An improper access check allows privileged users to overwrite media files without editing permissions.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7679 Results