U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2026-58373 - CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_obj... read CVE-2026-58373
    Published: June 30, 2026; 1:16:25 PM -0400

  • CVE-2026-55590 - CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targe... read CVE-2026-55590
    Published: July 09, 2026; 3:17:06 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-42505 - Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.
    Published: July 08, 2026; 1:17:21 PM -0400

  • CVE-2026-59890 - setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob... read CVE-2026-59890
    Published: July 08, 2026; 1:17:27 PM -0400

  • CVE-2026-44512 - Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. From 1.9.0 before 1.22.0, onnx.version_converter.convert_version() can dereference a null pointer in Upsample_6_7::adapt_upsample_6_7() in onnx/version_... read CVE-2026-44512
    Published: July 08, 2026; 4:16:49 PM -0400

  • CVE-2026-55404 - yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename met... read CVE-2026-55404
    Published: July 08, 2026; 4:16:52 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-58661 - n8n before 2.28.0 (and before 1.123.58 on the 1.x branch) contains a disk space exhaustion vulnerability in the data-table file upload endpoint. The per-request quota check does not account for files already written to the shared temporary directo... read CVE-2026-58661
    Published: July 10, 2026; 11:16:47 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-56354 - n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Au... read CVE-2026-56354
    Published: July 10, 2026; 11:16:43 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-13707 - Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.
    Published: July 01, 2026; 12:16:31 PM -0400

    V3.1: 7.6 HIGH

  • CVE-2026-58254 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving th... read CVE-2026-58254
    Published: July 08, 2026; 4:16:55 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-59209 - n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an ... read CVE-2026-59209
    Published: July 09, 2026; 1:17:01 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-59795 - In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible
    Published: July 10, 2026; 11:16:48 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-59796 - In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks
    Published: July 10, 2026; 11:16:48 AM -0400

  • CVE-2026-58253 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply ... read CVE-2026-58253
    Published: July 08, 2026; 4:16:54 PM -0400

  • CVE-2026-58252 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a ... read CVE-2026-58252
    Published: July 08, 2026; 4:16:54 PM -0400

  • CVE-2026-58251 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queu... read CVE-2026-58251
    Published: July 08, 2026; 4:16:54 PM -0400

  • CVE-2026-59828 - Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSer... read CVE-2026-59828
    Published: July 09, 2026; 6:17:09 PM -0400

  • CVE-2026-56261 - Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing ... read CVE-2026-56261
    Published: July 10, 2026; 11:16:42 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-58250 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server durin... read CVE-2026-58250
    Published: July 08, 2026; 4:16:54 PM -0400

  • CVE-2026-58214 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured s... read CVE-2026-58214
    Published: July 08, 2026; 4:16:54 PM -0400

Created September 20, 2022 , Updated August 27, 2024