How is SHA-1 insecure if it is not vulnerable to what MD5 is?

SHA-1 is vulnerable to collisions, even if no one have been publicly disclosed yet.

Some cryptographers have been working on the subject the latest years, and they estimated that the cost of finding a collision is decreasing so much that some attacks will be very soon within realm of possibility.

In October 2015, an important milestone was marked with the first freestart collision example for SHA-1, which is a collision for its internal function. This is not a full collision, but this is still a major improvement on the way on finding one, so they recommended to move from SHA-1 because they expect the first collisions to be found very soon.

They estimated the new cost of a full collision from 75K$ and 120K$, which is a 3-4 years improvement over previous estimations.

SHA-256 and SHA-512 are different algorithms, and are not affected by these theoretical attacks.

---

Update (February 2017): The first public collision on SHA-1 has been announced!

Both this PDF and this one share the same SHA-1 hash. This collision was found using Shattered, a new attack on SHA-1.

You can also read Google Security Team's article on their blog.