Threat Intelligence Feed

HIGH · CVE-2026-56082 Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST CRIT · CVE-2026-56081 Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound MED · CVE-2026-56080 Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and MED · CVE-2026-56079 Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org- CRIT · CVE-2026-56073 Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypa HIGH · CVE-2026-50559 Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, MED · CVE-2026-50519 Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized at HIGH · CVE-2026-49346 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream wi MED · CVE-2026-49337 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 HIGH · CVE-2026-49295 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream c CVE-2026-48794 Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-o CRIT · CVE-2026-48584 Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a networ CRIT · CVE-2026-48582 Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. MED · CVE-2026-48129 Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kes HIGH · CVE-2026-47645 Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized atta CVE-2026-47203 Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-o CRIT · CVE-2026-45480 Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. MED · CVE-2026-42895 Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unaut HIGH · CVE-2026-32208 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) CVE-2026-49345 Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, CVE-2026-49344 Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, MED · CVE-2026-49342 YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache CVE-2026-48787 gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to t HIGH · CVE-2026-48774 ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MC CRIT · CVE-2026-48773 ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authenticat CRIT · CVE-2026-48772 ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL CVE-2026-48715 radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the `radvdump` utility shipped with radvd contai CVE-2026-48089 DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instanc CVE-2026-9375 urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when u HIGH · CVE-2026-49340 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic e HIGH · CVE-2026-49339 gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6 HIGH · CVE-2026-49338 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subso CVE-2026-49336 @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-prev HIGH · CVE-2026-49293 js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 pa HIGH · CVE-2026-49291 mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpo MED · CVE-2026-49288 Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Con MED · CVE-2026-27878 A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive MED · CVE-2026-12726 A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller sto MED · CVE-2026-12238 The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up t HIGH · CVE-2023-54357 Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attacker HIGH · CVE-2026-56082 Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST CRIT · CVE-2026-56081 Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound MED · CVE-2026-56080 Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and MED · CVE-2026-56079 Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org- CRIT · CVE-2026-56073 Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypa HIGH · CVE-2026-50559 Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, MED · CVE-2026-50519 Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized at HIGH · CVE-2026-49346 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream wi MED · CVE-2026-49337 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 HIGH · CVE-2026-49295 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream c CVE-2026-48794 Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-o CRIT · CVE-2026-48584 Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a networ CRIT · CVE-2026-48582 Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. MED · CVE-2026-48129 Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kes HIGH · CVE-2026-47645 Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized atta CVE-2026-47203 Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-o CRIT · CVE-2026-45480 Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. MED · CVE-2026-42895 Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unaut HIGH · CVE-2026-32208 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) CVE-2026-49345 Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, CVE-2026-49344 Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, MED · CVE-2026-49342 YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache CVE-2026-48787 gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to t HIGH · CVE-2026-48774 ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MC CRIT · CVE-2026-48773 ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authenticat CRIT · CVE-2026-48772 ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL CVE-2026-48715 radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the `radvdump` utility shipped with radvd contai CVE-2026-48089 DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instanc CVE-2026-9375 urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when u HIGH · CVE-2026-49340 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic e HIGH · CVE-2026-49339 gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6 HIGH · CVE-2026-49338 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subso CVE-2026-49336 @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-prev HIGH · CVE-2026-49293 js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 pa HIGH · CVE-2026-49291 mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpo MED · CVE-2026-49288 Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Con MED · CVE-2026-27878 A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive MED · CVE-2026-12726 A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller sto MED · CVE-2026-12238 The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up t HIGH · CVE-2023-54357 Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attacker