9.3
CVE-2026-0625 - D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the deviceβs DNS β¦
7.9
CVE-2025-61916 - Spinnaker vulnerable to SSRF due to improper restrictions on http from user input
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines via β¦
8.7
CVE-2026-0621 - MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quβ¦
8.5
CVE-2025-64425 - Coolify has host header injection in forgot password
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receivβ¦
9.4
CVE-2025-64424 - Colify has command injection vulnerability in project git source
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute systβ¦
7.7
CVE-2025-64423 - Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipieβ¦
6.9
CVE-2026-0605 - code-projects Online Music Site login.php sql injection
A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has β¦
5.5
CVE-2025-64422 - Rate-limit bypass on login via X-Forwarded-Host header
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimiteβ¦
8.7
CVE-2025-64421 - Coolify has a privilege escalation - low privileged user can invite themselves as an admin user
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks thβ¦
10
CVE-2025-64420 - Coolify members can see private key of root user
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and auβ¦