U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2026-56292 - A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.
    Published: July 09, 2026; 11:16:37 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-54329 - Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while company_id is mass assignable, allowing a low-privileged authenticated user in one comp... read CVE-2026-54329
    Published: July 10, 2026; 3:17:24 PM -0400

    V3.1: 7.7 HIGH

  • CVE-2026-55460 - Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy... read CVE-2026-55460
    Published: July 10, 2026; 3:17:24 PM -0400

  • CVE-2026-55464 - Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a user with assets.edit permission to place a malicious link in a markdown-texta... read CVE-2026-55464
    Published: July 10, 2026; 3:17:24 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-60108 - Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by ... read CVE-2026-60108
    Published: July 09, 2026; 11:16:41 AM -0400

  • CVE-2026-55472 - Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not return i... read CVE-2026-55472
    Published: July 10, 2026; 3:17:24 PM -0400

  • CVE-2026-55474 - Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an authenticated attacker to traverse ... read CVE-2026-55474
    Published: July 10, 2026; 3:17:25 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-55476 - Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authentic... read CVE-2026-55476
    Published: July 10, 2026; 3:17:25 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-60109 - Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUI... read CVE-2026-60109
    Published: July 09, 2026; 11:16:41 AM -0400

  • CVE-2026-15308 - The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
    Published: July 09, 2026; 1:16:58 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-55478 - Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to the referenced license object, allowing a low-privilege user with prede... read CVE-2026-55478
    Published: July 10, 2026; 3:17:25 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-55516 - Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/{maintenance_id} checks access to the current maintenance record and asset but then fills attacker-controlled fields including asset_id without re... read CVE-2026-55516
    Published: July 10, 2026; 3:17:25 PM -0400

  • CVE-2026-55843 - Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that can ... read CVE-2026-55843
    Published: July 10, 2026; 3:17:26 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-59212 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through w... read CVE-2026-59212
    Published: July 09, 2026; 1:17:01 PM -0400

  • CVE-2026-59895 - Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allo... read CVE-2026-59895
    Published: July 08, 2026; 1:17:27 PM -0400

  • CVE-2026-59896 - Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or... read CVE-2026-59896
    Published: July 08, 2026; 1:17:27 PM -0400

  • CVE-2026-59897 - Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring com... read CVE-2026-59897
    Published: July 08, 2026; 1:17:27 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2026-59213 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing per... read CVE-2026-59213
    Published: July 09, 2026; 1:17:02 PM -0400

    V3.1: 5.0 MEDIUM

  • CVE-2026-55542 - Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-m... read CVE-2026-55542
    Published: July 08, 2026; 5:16:50 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-48492 - Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginate... read CVE-2026-48492
    Published: July 08, 2026; 6:17:14 PM -0400

    V3.1: 6.5 MEDIUM

Created September 20, 2022 , Updated August 27, 2024