Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.3 MEDIUM
CVE-2026-61860 — ImageMagick before 7.1.2-26 Use-After-Free via freetype

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a use-after-free vulnerability that occurs when freetype initialization fails: the method does not exit and continues to use memory that was already…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
4.8 MEDIUM
CVE-2026-61859 — ImageMagick before 7.1.2-26 Policy Bypass via script operation

ImageMagick before 7.1.2-26 and 6.9.13-x before 6.9.13-51 contains a policy bypass vulnerability in the -script operation due to missing security policy checks. This allows reading files from paths t…

| Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
1.8 LOW
CVE-2026-61464 — ImageMagick before 7.1.2-26 Heap Buffer Over-Write via X11

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a heap-based buffer over-write vulnerability that occurs when running an X11 import with a crafted window title, which can result in heap memory cor…

| Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-61457 — Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension() inspects only the final fi…

grav | Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.1 MEDIUM
CVE-2026-61453 — Grav before 2.0.1 XSS via Twig String Concatenation

Grav v2.0.0 contains a cross-site scripting vulnerability (fixed in 2.0.1). The XSS blueprint validator (Security::detectXss()) runs on raw page content before Twig processing. When Twig content proc…

grav | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.9 MEDIUM
CVE-2026-61452 — Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot…

grav | Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.6 CRITICAL
CVE-2026-61451 — Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url

The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() fu…

grav | Remote | Server-Side Request Forgery
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-61449 — Grav before 2.0.2 Decompression Bomb via Forged ZIP Size

Grav 2.0.1 contains a decompression-bomb size-cap bypass in ZipArchiver and GPM\Installer. The size bound introduced in 2.0.1 sums the uncompressed size declared in each entry's ZIP central-directory…

grav | Remote | Denial of Service
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.6 HIGH
CVE-2026-61446 — PraisonAI before 1.6.78 Remote Code Execution via Plugin Auto-Discovery

PraisonAI (praisonaiagents) before 1.6.78 contains a remote code execution vulnerability in the plugin manager, which loads and executes arbitrary Python (.py) files from project-level and user-home …

| Supply Chain
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.6 HIGH
CVE-2026-61443 — PraisonAI before 1.6.78 Remote Code Execution via SkillTools

PraisonAI before 1.6.78 contains a remote code execution vulnerability in SkillTools.run_skill_script() that executes scripts without path containment validation. Attackers can supply absolute file p…

Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-61440 — PraisonAI Platform before 0.1.9 Authorization Bypass via Label Endpoints

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created i…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.3 HIGH
CVE-2026-61438 — PraisonAI before 4.6.78 Remote Code Execution via Broken AST Sandbox

PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor._exec_inline_python() due to insufficient AST validation of workflow script steps. Attackers can create m…

| Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-61436 — PraisonAI before 4.6.78 Missing Webhook Signature Verification

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payload…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-61435 — PraisonAI before 4.6.78 Authentication Bypass via Host Header Spoofing

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints (src/praisonai/praisonai/api/agent_invoke.py) when PRAISONAI_CALL_AUTH=disabled is configured. The…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.5 HIGH
CVE-2026-61433 — PraisonAI before 4.6.78 Code Injection via API deployment generator

PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy…

| Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.5 HIGH
CVE-2026-61430 — PraisonAI before 1.6.78 DNS Rebinding SSRF via web_crawl

PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the web_crawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. A…

Remote | Server-Side Request Forgery
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.3 HIGH
CVE-2026-61427 — PraisonAI before 4.6.78 Authentication Bypass via HTTP-stream

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks wh…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.9 MEDIUM
CVE-2026-60087 — PraisonAI before 1.6.78 Tool Approval Cache Bypass

PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by ob…

| Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.7 HIGH
CVE-2026-60085 — PraisonAI before 4.6.78 Unenforced Security Policy in Subprocess Sandbox

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blocked_commands, blocked_paths, blocked_imports, allow_subprocess, and al…

Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.0 MEDIUM
CVE-2026-59259 — n8n - Permission Bypass via Expression Parser Mismatch in External Secrets

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expre…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8424 Results