Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,515
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,301 - 1,320 of 40,154 CVEs
CVE-2026-55438 MEDIUM - 5.8

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, t...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55426 HIGH - 7.8

Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command

Vendor: pip
Product: linuxfabrik-lib
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55437 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML emb...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55436 HIGH - 7.4

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55435 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55434 MEDIUM - 6.5

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could sen...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55433 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performe...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55432 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, let...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55431 HIGH - 7.7

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder th...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55078 MEDIUM - 6.5

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no ...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55430 MEDIUM - 5.8

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middle...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55428 HIGH - 8.2

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coor...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55429 HIGH - 8.7

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55079 MEDIUM - 4.9

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `Dat...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55427 HIGH - 8.3

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user's `~/.ssh/config` without sanitizing embedded n...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55077 HIGH - 7.2

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account�...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55075 HIGH - 7.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing li...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55076 HIGH - 7.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the st...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54640 HIGH - 7.6

OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory

Vendor: maven
Product: io.openremote:openremote-agent
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54641 HIGH - 7.7

OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl

Vendor: maven
Product: io.openremote:openremote-manager
Published: Jul 06, 2026
Source: GitHub