Total CVEs

143,701

Critical Severity

4,088

High Severity

14,745

Last 7 Days

1,554
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,201 - 1,220 of 40,106 CVEs

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php (loggedin_client and loggedin_admin) ...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD
CVE-2026-42204 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an aut...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-42153 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to ...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacke...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-41899 MEDIUM - 6.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-38979 MEDIUM - 5.4

ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards handler-added headers verbatim, and finalizes responses through WSGI start_response() without adding...

Published: Jul 06, 2026
Source: NVD
CVE-2026-38976 HIGH - 7.5

mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in op_super() / OP_SUPER due to a missing runtime guard for top-level super.

Published: Jul 06, 2026
Source: NVD
CVE-2026-38973 MEDIUM - 4.4

mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().

Published: Jul 06, 2026
Source: NVD
CVE-2026-34599 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute a...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34167 MEDIUM - 5.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->acti...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34153 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-co...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34050 MEDIUM - 6.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure b...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-32718 MEDIUM - 6.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD

Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)

Vendor: pip
Product: kiwitcms
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55501 HIGH - 7.3

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFai...

Vendor: npm
Product: 9router
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55500 CRITICAL - 9.9

9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTEC...

Vendor: npm
Product: 9router
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54724 MEDIUM - 6.1

Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint

Vendor: pip
Product: kiwitcms
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54496 CRITICAL - 9.3

Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness

Vendor: rust
Product: zebrad
Published: Jul 06, 2026
Source: GitHub

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt inj...

Vendor: pip
Product: langroid
Published: Jul 06, 2026
Source: GitHub