CVE tracker
358 subscribers
4.81K links
News monitoring: @irnewsagency

Main channel: @orgsecuritygate

Site: SecurityGate.org
Download Telegram
CVE-2026-61455 - Grav before 2.0.1 Decompression Bomb via ZipArchiver

CVE ID :CVE-2026-61455
Published : July 10, 2026, 3:16 p.m. | 1 hour, 3 minutes ago
Description :Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a crafted ZIP archive that expands to fill available disk space, causing denial of service by exhausting storage resources.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61456 - Grav before 1.0.3 Stored XSS via SVG Upload API

CVE ID :CVE-2026-61456
Published : July 10, 2026, 3:16 p.m. | 1 hour, 3 minutes ago
Description :The Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile() method validates only the file extension and never invokes Security::sanitizeSVG(), so an authenticated attacker with the api.media.write permission can upload an SVG containing arbitrary JavaScript. The file is stored unmodified and served with Content-Type: image/svg+xml; when an administrator opens it in a browser (directly or via /
CVE-2026-61492 - JetBrains YouTrack Stored Cross-Site Scripting

CVE ID :CVE-2026-61492
Published : July 10, 2026, 3:16 p.m. | 1 hour, 3 minutes ago
Description :In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55501 - 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

CVE ID :CVE-2026-55501
Published : July 10, 2026, 3:23 p.m. | 56 minutes ago
Description :9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15143 - Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:)

CVE ID :CVE-2026-15143
Published : July 10, 2026, 3:25 p.m. | 55 minutes ago
Description :A flaw was found in the file_type content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition (XSD) string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file reads, potentially resulting in sensitive information disclosure, such as cloud provider credentials or access to internal network services.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55500 - 9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover

CVE ID :CVE-2026-55500
Published : July 10, 2026, 3:28 p.m. | 52 minutes ago
Description :9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56676 - 9router: Image prefetch DNS rebinding allows SSRF to internal services

CVE ID :CVE-2026-56676
Published : July 10, 2026, 3:30 p.m. | 49 minutes ago
Description :9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5801 - SQLi in Semtek Informatics' SEM-PMP

CVE ID :CVE-2026-5801
Published : July 10, 2026, 7:17 p.m. | 1 hour, 3 minutes ago
Description :Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line Execution through SQL Injection. This issue affects SEM-PMP: through 23042026.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61459 - MCP Server Kubernetes < 3.9.0 Argument Injection via kubectl Structured Tools

CVE ID :CVE-2026-61459
Published : July 10, 2026, 7:17 p.m. | 1 hour, 3 minutes ago
Description :MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61460 - Krayin CRM Insecure Direct Object Reference via Controllers

CVE ID :CVE-2026-61460
Published : July 10, 2026, 7:17 p.m. | 1 hour, 3 minutes ago
Description :Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61461 - Dify < 1.16.0-rc1 SQL Injection via MyScale Vector Store search_by_full_text

CVE ID :CVE-2026-61461
Published : July 10, 2026, 7:17 p.m. | 1 hour, 3 minutes ago
Description :Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the search_by_full_text method without escaping or parameterization. Attackers can inject malicious SQL through the search parameters to read, modify, or delete data in the underlying ClickHouse database.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6212 - IDOR in Teracity's TeraMIS

CVE ID :CVE-2026-6212
Published : July 10, 2026, 7:17 p.m. | 1 hour, 3 minutes ago
Description :Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc. TeraMIS allows Privilege Abuse. This issue affects TeraMIS: from V03.26.01.14 through 30.04.2026.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6872 - Rejected reason: ** REJECT ** DO NOT USE THIS CAND

CVE ID :CVE-2026-6872
Published : July 10, 2026, 7:17 p.m. | 1 hour, 3 minutes ago
Description :Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55462 - Snipe-IT: Authorization bypass on print inventory page

CVE ID :CVE-2026-55462
Published : July 10, 2026, 7:35 p.m. | 46 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55515 - Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint

CVE ID :CVE-2026-55515
Published : July 10, 2026, 7:36 p.m. | 44 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset, allowing a reports user in one company to delete pending checkout acceptance records for another company. This issue is fixed in version 8.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55466 - Snipe-IT: Stored XSS via inline-served attachment

CVE ID :CVE-2026-55466
Published : July 10, 2026, 7:37 p.m. | 43 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and executes JavaScript in a viewer’s browser. This issue is fixed in version 8.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55452 - Snipe-IT: CSV formula injection in Activity Report export

CVE ID :CVE-2026-55452
Published : July 10, 2026, 7:40 p.m. | 41 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55479 - Snipe-IT: Incorrect permission for legacy license checkin API

CVE ID :CVE-2026-55479
Published : July 10, 2026, 7:40 p.m. | 40 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin endpoint and reclaim a license seat assigned to another user or asset. This issue is fixed in version 8.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55461 - Snipe-IT: Open Redirect After User Edit

CVE ID :CVE-2026-55461
Published : July 10, 2026, 7:41 p.m. | 39 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the user edit flow stores url()->previous() from the attacker-controlled Referer header into Laravel’s intended URL session value and later uses redirect()->intended(...) when redirect_option=back is submitted, allowing Snipe-IT to be used as a trusted redirector after a legitimate user edit action. This issue is fixed in version 8.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55469 - Snipe-IT: Path traversal vulnerability via CSV import `image` field

CVE ID :CVE-2026-55469
Published : July 10, 2026, 7:42 p.m. | 38 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the server process. This issue is fixed in version 8.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55475 - Snipe-IT: Import created_by can be overwritten

CVE ID :CVE-2026-55475
Published : July 10, 2026, 7:43 p.m. | 37 minutes ago
Description :Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...