Security Intelligence
Feed

Real-time CVE tracking, exploit analysis, and vulnerability intelligence curated for security professionals.

91 New today

64,314 Total advisories

Live Monitoring

Daily Security Trends (Last 14 Days)

658

Jun 9

351

Jun 10

245

Jun 11

336

Jun 12

Jun 13

Jun 14

443

Jun 15

630

Jun 16

464

Jun 17

Jun 18

352

Jun 19

Jun 20

Jun 21

Jun 22

Critical

High

Medium

Low

Latest

CVE CVSS 5.5

@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter_CVE-2026-49336

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross...

CVE-2026-49336 microsoft kiota-typescript >= 1.0.0-preview.97, < 1.0.0-preview.102

Jun 19, 2026

Read analysis

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 7.5	CVE-2026-49293	CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals_CVE-2026-49293 js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / b...	sunnyadn	js-toml < 1.1.1	Jun 19, 2026	CVE
HIGH 8.1	CVE-2026-49291	mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call_CVE-2026-49291 mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at `/mcp` requires only...	doobidoo	mcp-memory-service < 10.65.3	Jun 19, 2026	CVE
MEDIUM 4.3	CVE-2026-49288	Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources_CVE-2026-49288 Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view ...	statamic	cms < 5.73.23	Jun 19, 2026	CVE
MEDIUM 5.3	CVE-2026-12238	WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation_CVE-2026-12238 The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. ...	wpgmaps	WP Go Maps – Google Map, OpenStreetMap, Leaflet Map	Jun 19, 2026	CVE
HIGH 7.5	CVE-2026-9375	Decompression Bomb Bypass via Negative max_length in Streaming API in urllib3_CVE-2026-9375 urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The is...	urllib3	urllib3/urllib3 unspecified	Jun 19, 2026	CVE
HIGH 8.1	CVE-2026-49340	gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host_CVE-2026-49340 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdat...	sentriz	gonic < 0.21.0	Jun 19, 2026	CVE
HIGH 7.1	CVE-2026-49338	Subsonic API: any authenticated user can delete or read any other user’s playlist (IDOR)_CVE-2026-49338 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/de...	sentriz	gonic < 0.21.0	Jun 19, 2026	CVE
MEDIUM 6.5	CVE-2026-27878	Tempo TraceQL query with exemplar hint could result in unbounded memory usage_CVE-2026-27878 A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resultin...	Grafana	Enterprise Traces (GET) 2.6.1	Jun 19, 2026	CVE
MEDIUM 6.3	CVE-2026-12726	Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential_CVE-2026-12726 A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.status...	Red Hat	Red Hat Ansible Automation Platform 2	Jun 19, 2026	CVE

Security IntelligenceFeed

Daily Security Trends (Last 14 Days)

@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter_CVE-2026-49336

Recent Advisories

CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals_CVE-2026-49293

mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call_CVE-2026-49291

Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources_CVE-2026-49288

WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation_CVE-2026-12238

Decompression Bomb Bypass via Negative max_length in Streaming API in urllib3_CVE-2026-9375

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host_CVE-2026-49340

Subsonic API: any authenticated user can delete or read any other user’s playlist (IDOR)_CVE-2026-49338

Tempo TraceQL query with exemplar hint could result in unbounded memory usage_CVE-2026-27878

Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential_CVE-2026-12726

Protect Your Attack Surface with RedGem

Security Intelligence
Feed