| CVE-2026-26191 |
critical |
9.8 |
9.8 |
13d ago |
Fleet vulnerable to OS command injection in software packages |
|
| CVE-2026-46356 |
high |
7.5 |
7.5 |
13d ago |
Fleet: IP spoofing allows bypassing API rate limiting |
|
| CVE-2026-24899 |
high |
7.5 |
7.5 |
13d ago |
Fleet Windows MDM Azure AD JWT Authentication Bypass |
|
| CVE-2026-23998 |
high |
7.5 |
7.5 |
14d ago |
Fleet has a Windows MDM management endpoint authentication bypass |
|
| CVE-2026-26062 |
medium |
6.5 |
6.5 |
13d ago |
Fleet server may terminate unexpectedly when handling certain gRPC requests |
|
| CVE-2026-24000 |
medium |
5.3 |
5.3 |
13d ago |
Fleet has a rate limiting bypass via untrusted client IP headers |
|
| CVE-2026-27806 |
unknown |
— |
— |
2mo ago |
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit |
|
| CVE-2026-34389 |
unknown |
— |
— |
2mo ago |
Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet |
|
| CVE-2026-34388 |
unknown |
— |
— |
2mo ago |
Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint in github.com/fleetdm/fleet |
|
| CVE-2026-34386 |
unknown |
— |
— |
2mo ago |
Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet |
|
| CVE-2026-34385 |
unknown |
— |
— |
2mo ago |
Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet |
|
| CVE-2026-29180 |
unknown |
— |
— |
2mo ago |
A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet |
|
| CVE-2026-26061 |
unknown |
— |
— |
2mo ago |
Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet |
|
| CVE-2026-26060 |
unknown |
— |
— |
2mo ago |
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet |
|
| CVE-2026-27465 |
unknown |
— |
— |
3mo ago |
Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet |
|
| CVE-2026-25963 |
unknown |
— |
— |
3mo ago |
Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet |
|
| CVE-2026-24004 |
unknown |
— |
— |
3mo ago |
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet |
|
| CVE-2026-23999 |
unknown |
— |
— |
3mo ago |
Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet |
|
| CVE-2026-26186 |
unknown |
— |
— |
3mo ago |
Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet |
|
| CVE-2026-23518 |
unknown |
— |
— |
4mo ago |
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet |
|
| CVE-2026-23517 |
unknown |
— |
— |
4mo ago |
Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet |
|
| CVE-2026-22808 |
unknown |
— |
— |
4mo ago |
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet |
|
| CVE-2025-27509 |
unknown |
— |
— |
1y ago |
Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet |
|
| CVE-2020-26276 |
unknown |
— |
— |
4y ago |
SAML authentication vulnerability due to stdlib XML parsing |
|
| CVE-2022-23600 |
unknown |
— |
— |
4y ago |
Limited ability to spoof SAML authentication with missing audience verification in Fleet |
|