Security Intelligence
Feed

Real-time CVE tracking, exploit analysis, and vulnerability intelligence curated for security professionals.

334 New today

66,069 Total advisories

Live Monitoring

Daily Security Trends (Last 14 Days)

Jun 14

443

Jun 15

630

Jun 16

464

Jun 17

Jun 18

352

Jun 19

Jun 20

104

Jun 21

317

Jun 22

294

Jun 23

355

Jun 24

376

Jun 25

386

Jun 26

Jun 27

Critical

High

Medium

Low

Latest

CVE CVSS 5.3

Patool < 4.0.5 Path Traversal via safe_extract() Function_CVE-2026-29509

Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of...

CVE-2026-29509 wummel patool

Jun 26, 2026

Read analysis

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 8.5	CVE-2026-54353	Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation_CVE-2026-54353 Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist...	Budibase	budibase < 3.39.9	Jun 26, 2026	CVE
CRITICAL 9.6	CVE-2026-54352	Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload_CVE-2026-54352 Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a...	Budibase	budibase < 3.39.9	Jun 26, 2026	CVE
HIGH 8.2	CVE-2026-54351	Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override_CVE-2026-54351 Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full ...	Budibase	budibase < 3.39.9	Jun 26, 2026	CVE
CRITICAL 10	CVE-2026-54350	Budibase: Anonymous NoSQL operator injection via published-app query templates_CVE-2026-54350 Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of t...	Budibase	budibase < 3.39.12	Jun 26, 2026	CVE
HIGH 7.5	CVE-2026-52885	Notepad++ TOCTOU: HMAC Checks Disk, Executes from Memory_CVE-2026-52885 Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the momen...	notepad-plus-plus	notepad-plus-plus < 8.9.6.4	Jun 26, 2026	CVE
HIGH 7.8	CVE-2026-52884	Notepad++: CVE-2026-48800 Bypass_CVE-2026-52884 Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses...	notepad-plus-plus	notepad-plus-plus = 8.9.6.1	Jun 26, 2026	CVE
HIGH 8.2	CVE-2026-50137	Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials_CVE-2026-50137 Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-...	Budibase	budibase < 3.39.0	Jun 26, 2026	CVE
HIGH 7.4	CVE-2026-50136	Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials_CVE-2026-50136 Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObje...	Budibase	budibase < 3.39.3	Jun 26, 2026	CVE
HIGH 7.3	CVE-2026-50132	Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase_CVE-2026-50132 Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth require...	Budibase	budibase < 3.39.0	Jun 26, 2026	CVE

Security IntelligenceFeed

Daily Security Trends (Last 14 Days)

Patool < 4.0.5 Path Traversal via safe_extract() Function_CVE-2026-29509

Recent Advisories

Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation_CVE-2026-54353

Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload_CVE-2026-54352

Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override_CVE-2026-54351

Budibase: Anonymous NoSQL operator injection via published-app query templates_CVE-2026-54350

Notepad++ TOCTOU: HMAC Checks Disk, Executes from Memory_CVE-2026-52885

Notepad++: CVE-2026-48800 Bypass_CVE-2026-52884

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials_CVE-2026-50137

Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials_CVE-2026-50136

Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase_CVE-2026-50132

Protect Your Attack Surface with RedGem

Security Intelligence
Feed