Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.7 HIGH
CVE-2026-52805 — Gogs: Migration Redirect Bypass Leads to Internal Repository Theft

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only th…

gogs | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2026-52804 — Gogs: Privilege Escalation via Collaboration Access Mode Validation

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCol…

gogs | Remote | Authorization
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2026-52802 — Gogs: Open Redirect via redirect_to in Gogs

Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirec…

gogs | Remote | Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.1 HIGH
CVE-2026-52801 — Gogs: Ability to import local repositories via Mirror Settings

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenti…

gogs | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-52800 — Gogs: CSRF Leading to Organization Owner Takeover

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owne…

gogs | Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-52799 — Gogs: Missing Authorization in Attachment Download

Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated …

gogs | Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.9 HIGH
CVE-2026-52798 — Gogs: Stored XSS in `.ipynb` Preview

Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client…

gogs | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-52797 — Gogs: Overwriting critical files results in a denial of service

Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the fi…

gogs | Remote | Path Traversal
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
3.5 LOW
CVE-2026-52796 — Gogs: DoS in rendering issue index pattern

Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, …

gogs | Remote | Denial of Service
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-52795 — Gogs: Authorization Bypass in Watch API allows any user to monitor private repository act…

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler …

gogs | Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-50129 — Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception …

mastodon | Remote | Denial of Service
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-50128 — Mastodon: Spoofing of attribution domains

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent fal…

mastodon | Remote | Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.7 MEDIUM
CVE-2026-49278 — Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor I…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://devel…

rocket.chat rocket.chat | Remote | Information Disclosure
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
2.3 LOW
CVE-2026-49277 — Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or …

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
4.4 MEDIUM
CVE-2026-47733 — Rocket.Chat: Missing URL protocol sanitization in ImageElement allows javascript: URLs in…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a…

rocket.chat rocket.chat | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.3 HIGH
CVE-2026-47267 — Gogs: SSRF in webhook deliveries

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, …

gogs | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.3 CRITICAL
CVE-2026-46423 — Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implemen…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
2.3 LOW
CVE-2026-45757 — Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login t…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-45689 — Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User …

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains …

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-45688 — Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML …

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the…

rocket.chat rocket.chat | Remote | Injection
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
Showing 20 of 8008 Results