Total CVEs

143,701

Critical Severity

4,088

High Severity

14,745

Last 7 Days

1,554
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1,181 - 1,200 of 40,106 CVEs
CVE-2026-34037 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authentic...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34035 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the ho...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34034 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell synt...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-11328 MEDIUM - 6.4

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contrib...

Vendor: timstrifler
Product: Exclusive Addons for Elementor
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as `md5(<original filena...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (`custom_*` fields) stored ...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 07, 2026
Source: NVD
CVE-2026-13356 MEDIUM - 6.3

A malicious webpage could interrupt a pending navigation by enqueuing a synchronous JavaScript dialog, causing the browser UI to display the destination origin in the address bar while continuing to render attacker-controlled content. This vulnerability was fixed in Firefox for iOS 152.3.

Vendor: Mozilla
Product: Firefox for iOS
Published: Jul 07, 2026
Source: NVD
CVE-2024-56141 MEDIUM - 5.0

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager  encryption routine ( CryptManager.kt ) initializes its AES cipher using an initialization vector (IV) that is set equal to the sec...

Vendor: Bixilon
Product: Minosoft
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a `ClientPasswordReset` record already exists for a client (from a previous unexpired reset request), subsequent calls to the `reset_password` guest API endpoint reuse the existing token in...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user that only has `staff.create_and_edit...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state v...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the `can_always_access` module flag (which grants all staff access to certa...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/bal...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (`content_html`) is rendered into a JavaScript template literal usi...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding read...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD
CVE-2026-59710 MEDIUM - 6.1

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown ...

Vendor: showdown
Product: showdown
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount (`mc_gross`) to the client's balance without validating it against the invoice total. Combined with a...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request compl...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can ga...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into `config.php` without es...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD