Total CVEs

143,768

Critical Severity

4,091

High Severity

14,768

Last 7 Days

1,527
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,321 - 1,340 of 40,173 CVEs
CVE-2026-55426 HIGH - 7.8

Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command

Vendor: pip
Product: linuxfabrik-lib
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55437 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the `AgentLogLine` dashboard component instantiated `ansi-to-html` without `escapeXML: true` and inserted the result via `dangerouslySetInnerHTML` so HTML emb...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55436 HIGH - 7.4

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, the AI Bridge Proxy (`aibridgeproxyd`) created a goproxy server whose default transport set `InsecureSkipVerify: true` and only assigned...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55435 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55434 MEDIUM - 6.5

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with `io.ReadAll` without a maximum size so an authenticated user with AI Bridge access could sen...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55433 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performe...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55432 MEDIUM - 5.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, let...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55431 HIGH - 7.7

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder open app` opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the `$SESSION_TOKEN` placeholder th...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55078 MEDIUM - 6.5

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `POST /api/v2/files` converts zip uploads to tar in memory via `CreateTarFromZip`, which enforced a per-entry size limit but no ...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55430 MEDIUM - 5.8

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from `httpapi.RequestHost()` which prefers the `X-Forwarded-Host` header over the real `Host` header. No middle...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55428 HIGH - 8.2

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the tailnet coordinator validates that an agent's `Addresses` derive from its authenticated UUID but applies no equivalent check to `AllowedIPs`. The coor...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55429 HIGH - 8.7

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `UpsertWorkspaceApp` overwrites an existing app's `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner's...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55079 MEDIUM - 4.9

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `Dat...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55427 HIGH - 8.3

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `coder config-ssh` wrote server-supplied SSH settings (`HostnameSuffix`, `SSHConfigOptions`) into the user's `~/.ssh/config` without sanitizing embedded n...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55077 HIGH - 7.2

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `PUT /api/v2/users/{user}/password` endpoint authorized only `ActionUpdatePersonal` and did not prevent a `user-admin` from resetting an `owner` account�...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55075 HIGH - 7.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing li...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-55076 HIGH - 7.4

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP returned the claim as a non-boolean (for example the st...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54640 HIGH - 7.6

OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory

Vendor: maven
Product: io.openremote:openremote-agent
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54641 HIGH - 7.7

OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl

Vendor: maven
Product: io.openremote:openremote-manager
Published: Jul 06, 2026
Source: GitHub
CVE-2026-53935 MEDIUM - 6.9

Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace ...

Vendor: go
Product: github.com/cilium/cilium
Published: Jul 06, 2026
Source: GitHub