Common Vulnerabilities and Exposures (CVE)

CVE-2026-14380

Jul 7, 2026 22:04:49 UTC

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package ...

CVE-2026-36162

Jul 7, 2026 22:02:48 UTC

An authenticated stored cross-site scripting (XSS) vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via injecting a crafted payload into the Name parameter.

CVE-2026-49033

Jul 7, 2026 21:53:38 UTC

The application contains a stack-based buffer overflow vulnerability that can be exploited by an attacker to execute arbitrary code.

CVE-2026-42958

Jul 7, 2026 21:52:25 UTC

The application contains a use-after-free vulnerability that can be exploited to cause memory corruption while parsing specially crafted files. This could allow an attacker to execute arbitrary code in the context of the current process.

CVE-2026-42953

Jul 7, 2026 21:39:04 UTC

The application contains an out-of-bounds write vulnerability that can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer. This can lead to arbitrary code execution.

CVE-2026-55075

Jul 7, 2026 21:33:38 UTC

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back ...

CVE-2026-54698

Jul 7, 2026 21:29:23 UTC

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for th...

CVE-2026-54602

Jul 7, 2026 21:24:20 UTC

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated u...

CVE-2026-54607

Jul 7, 2026 21:20:43 UTC

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs...

CVE-2026-55418

Jul 7, 2026 21:18:45 UTC

FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that th...

CVE-2026-54601

Jul 7, 2026 21:16:12 UTC

FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-own...

CVE-2026-58266

Jul 7, 2026 21:13:42 UTC

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API...

CVE-2026-59153

Jul 7, 2026 21:11:01 UTC

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A mal...

CVE-2026-46354

Jul 7, 2026 21:10:01 UTC

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains ...

CVE-2026-55490

Jul 7, 2026 21:08:26 UTC

OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending ...