Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,261
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 701 - 720 of 39,637 CVEs
CVE-2026-34198 MEDIUM - 5.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting X-Forwarded-Host from any source. The TrustHosts middleware, intended to prevent host head...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34171 HIGH - 8.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit ...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34170 MEDIUM - 4.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a Gi...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34168 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storag...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34152 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inj...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an au...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34058 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34057 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without lock...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34048 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes an...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34047 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outsid...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34044 HIGH - 7.7

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by ...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34037 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authentic...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34035 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the ho...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34034 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell synt...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-11328 MEDIUM - 6.4

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contrib...

Vendor: timstrifler
Product: Exclusive Addons for Elementor
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as `md5(<original filena...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (`custom_*` fields) stored ...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 07, 2026
Source: NVD
CVE-2026-13356 MEDIUM - 6.3

A malicious webpage could interrupt a pending navigation by enqueuing a synchronous JavaScript dialog, causing the browser UI to display the destination origin in the address bar while continuing to render attacker-controlled content. This vulnerability was fixed in Firefox for iOS 152.3.

Vendor: Mozilla
Product: Firefox for iOS
Published: Jul 07, 2026
Source: NVD
CVE-2024-56141 MEDIUM - 5.0

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager  encryption routine ( CryptManager.kt ) initializes its AES cipher using an initialization vector (IV) that is set equal to the sec...

Vendor: Bixilon
Product: Minosoft
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a `ClientPasswordReset` record already exists for a client (from a previous unexpired reset request), subsequent calls to the `reset_password` guest API endpoint reuse the existing token in...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD