high
high
- CVE-2025-6784 - The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi
- CVE-2026-13114 - The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si
- CVE-2026-13353 - The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerab
- CVE-2026-13378 - The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting
- CVE-2026-13756 - The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl
- CVE-2026-14262 - The Simple JWT Login – Allows you to use JWT on REST endpoints
- CVE-2026-15155 - The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable
- CVE-2026-15335 - The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (fo
- CVE-2026-15338 - The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers
- CVE-2026-2354 - The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type
- CVE-2026-3576 - The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading
- CVE-2026-4661 - The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base
- CVE-2026-6939 - The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
- CVE-2026-7655 - The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to
- CVE-2025-30007 - HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a
- CVE-2025-70796 - An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno
- CVE-2026-11321 - The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly
- CVE-2026-12685 - The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo
- CVE-2026-13347 - The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including
- CVE-2026-13430 - The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions
- CVE-2026-15070 - The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al
- CVE-2026-15288 - The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input
- CVE-2026-15290 - The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pl
- CVE-2026-15291 - The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposu
- CVE-2026-15293 - The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions u
- CVE-2026-15298 - The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and
- CVE-2026-1667 - The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-
- CVE-2026-21042 - Out-of-bounds write in libsavsac.so prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrar
- CVE-2026-21045 - Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 all
- CVE-2026-21046 - Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows lo
- CVE-2026-21048 - Out-of-bounds write in parsing DNG format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allo
- CVE-2026-21049 - Out-of-bounds write in libpadm.so library prior to SMR Jul-2026 Release 1 allows local attackers to execute ar
- CVE-2026-21055 - Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to
- CVE-2026-22659 - FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows aut
- CVE-2026-22660 - FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated
- CVE-2026-2398 - Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd
- CVE-2026-33382 - Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before
- CVE-2026-38057 - The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication
- CVE-2026-38059 - The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication
- CVE-2026-39244 - adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompresse
- CVE-2026-39903 - Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnera
- CVE-2026-40006 - Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Aut
- CVE-2026-40007 - Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB
- CVE-2026-40452 - Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB
- CVE-2026-40454 - Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client
- CVE-2026-41482 - Frappe is a full-stack web application framework
- CVE-2026-41876 - R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function
- CVE-2026-41878 - R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints
- CVE-2026-41879 - R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash
- CVE-2026-42952 - Previously, there was no throttling on repeated authentication attempts to the charging station backend, which
- CVE-2026-44383 - Multiple connections to the backend using the same charging station ID are allowed, which could allow an attac
- CVE-2026-44795 - Spinnaker is an open source, multi-cloud continuous delivery platform
- CVE-2026-49213 - TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/v
- CVE-2026-49394 - Frappe is a full-stack web application framework
- CVE-2026-49866 - libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
- CVE-2026-52747 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
- CVE-2026-53448 - Coturn is a free open source implementation of TURN and STUN Server
- CVE-2026-53450 - Coturn is a free open source implementation of TURN and STUN Server
- CVE-2026-53653 - Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to e
- CVE-2026-53657 - Lima launches Linux virtual machines, typically on macOS, for running containerd
- CVE-2026-54000 - osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework
- CVE-2026-54001 - osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework
- CVE-2026-54063 - Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
- CVE-2026-54066 - SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CV
- CVE-2026-54070 - SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
- CVE-2026-54071 - BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
- CVE-2026-54149 - MaxKB is an open-source AI assistant for enterprise
- CVE-2026-54174 - melange: Incomplete package integrity verification allows data section substitution
- CVE-2026-54423 - In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management i
- CVE-2026-54469 - Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vul
- CVE-2026-54736 - Phalcon is a high-performance, full-stack PHP framework
- CVE-2026-54919 - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
- CVE-2026-55175 - Spinnaker is an open source, multi-cloud continuous delivery platform
- CVE-2026-55213 - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3
- CVE-2026-55229 - Gotenberg is a Docker-powered stateless API for PDF files
- CVE-2026-55233 - OpenResty is a high performance web platform
- CVE-2026-55377 - Logto is the modern, open-source auth infrastructure for SaaS and AI apps
- CVE-2026-55405 - LangChain4j is a Java library for building LLM-powered applications on the JVM
- CVE-2026-55460 - Snipe-IT is an IT asset/license management system
- CVE-2026-55474 - Snipe-IT is an IT asset/license management system
- CVE-2026-55501 - 9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/login
- CVE-2026-55516 - Snipe-IT is an IT asset/license management system
- CVE-2026-55638 - 9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta
- CVE-2026-55641 - 9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is l
- CVE-2026-55659 - Grist is spreadsheet software using Python as its formula language
- CVE-2026-55665 - Grist is spreadsheet software using Python as its formula language
- CVE-2026-55672 - ZITADEL is an open source identity management platform
- CVE-2026-55687 - ESF-IDF is the Espressif Internet of Things (IOT) Development Framework
- CVE-2026-55789 - Logto is the modern, open-source auth infrastructure for SaaS and AI apps
- CVE-2026-55827 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-55843 - Snipe-IT is an IT asset/license management system
- CVE-2026-55852 - Frappe is a full-stack web application framework
- CVE-2026-55880 - OpenReplay is a self-hosted session replay suite
- CVE-2026-55881 - OpenReplay is a self-hosted session replay suite
- CVE-2026-55882 - Tilt defines dev environments as code for microservice apps on Kubernetes
- CVE-2026-55883 - Tilt defines dev environments as code for microservice apps on Kubernetes
- CVE-2026-56254 - In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the p
- CVE-2026-56279 - Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function
- CVE-2026-56291 - Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability
- CVE-2026-56305 - Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that all
- CVE-2026-56335 - Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly
- CVE-2026-56667 - ZITADEL is an open source identity management platform
- CVE-2026-56668 - ZITADEL is an open source identity management platform
- CVE-2026-56675 - 9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows
- CVE-2026-56676 - 9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host befo
- CVE-2026-56689 - Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements us
- CVE-2026-56690 - Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements us
- CVE-2026-57156 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-57212 - RabbitMQ is a messaging and streaming broker
- CVE-2026-57214 - RabbitMQ is a messaging and streaming broker
- CVE-2026-57215 - RabbitMQ is a messaging and streaming broker
- CVE-2026-57217 - RabbitMQ is a messaging and streaming broker
- CVE-2026-57219 - RabbitMQ is a messaging and streaming broker
- CVE-2026-57220 - RabbitMQ is a messaging and streaming broker
- CVE-2026-57574 - Misskey is an open source, federated social media platform
- CVE-2026-57584 - Phalcon is a high-performance, full-stack PHP framework
- CVE-2026-57850 - RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer g
- CVE-2026-58499 - EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api
- CVE-2026-59161 - Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets
- CVE-2026-59190 - grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages
- CVE-2026-59793 - In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration
- CVE-2026-59794 - In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported dat
- CVE-2026-59795 - In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible
- CVE-2026-59796 - In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks
- CVE-2026-61434 - PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that all
- CVE-2026-61437 - PraisonAI (pip package praisonaiagents) before 1.6.78 contains an unsafe dynamic module loading vulnerability
- CVE-2026-61441 - PraisonAI Platform (praisonai-platform) before 0.1.9 improperly authorizes deletion of issue dependencies
- CVE-2026-61450 - Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone ab
- CVE-2026-61455 - Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on u
- CVE-2026-61460 - Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonC
- CVE-2026-61461 - Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows
- CVE-2026-6212 - Authorization bypass through User-Controlled key vulnerability in Teracity Software Technologies Inc
- CVE-2025-45422 - Incorrect access control in Proximus b-box v8c.725A allows authenticated attackers to bypass normal restrictio
- CVE-2025-63579 - Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported
- CVE-2026-11404 - Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_
- CVE-2026-11571 - The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during
- CVE-2026-12593 - The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) fo
- CVE-2026-12595 - The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in a
- CVE-2026-12597 - The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback i
- CVE-2026-12598 - The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including
- CVE-2026-13441 - The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site
- CVE-2026-13462 - PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certif
- CVE-2026-13492 - The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1
- CVE-2026-14372 - The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for Word
- CVE-2026-15000 - The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
- CVE-2026-15270 - A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207
- CVE-2026-15271 - A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 a
- CVE-2026-15308 - The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated untermi
- CVE-2026-1989 - Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc
- CVE-2026-31984 - A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging
- CVE-2026-31985 - When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configura
- CVE-2026-33390 - An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc
- CVE-2026-38076 - An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows attackers to ca
- CVE-2026-39246 - decompress before 4.2.2 allows arbitrary symlink creation during archive extraction
- CVE-2026-41857 - A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation wh
- CVE-2026-4256 - Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in PEAKUP T
- CVE-2026-4275 - The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site
- CVE-2026-44787 - Discourse is an open-source discussion platform
- CVE-2026-47826 - The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary file
- CVE-2026-47828 - During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates t
- CVE-2026-47829 - Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the
- CVE-2026-47830 - Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-
- CVE-2026-47831 - Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows
- CVE-2026-47840 - A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certi
- CVE-2026-49276 - Kirby is an open-source content management system
- CVE-2026-49476 - Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists
- CVE-2026-49477 - Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
- CVE-2026-49485 - org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
- CVE-2026-50180 - Langroid is a framework for building large-language-model-powered applications
- CVE-2026-50181 - Langroid is a framework for building large-language-model-powered applications
- CVE-2026-50553 - Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)
- CVE-2026-50644 - SOPlanning is vulnerable to SQL injection in the audit retention configuration
- CVE-2026-51600 - Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (includi
- CVE-2026-51601 - Tenda CP3 V3.0 firmware V31.1.9.91 contains a stack-based buffer overflow in the RTSP service
- CVE-2026-51602 - A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows
- CVE-2026-51603 - A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows
- CVE-2026-51604 - A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows
- CVE-2026-51605 - A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.991) allow
- CVE-2026-51606 - An improper input handling vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) causes th
- CVE-2026-51923 - An Insecure Direct Object Reference (IDOR) vulnerability exists in docuForm GmbH Client v.11.11c allowing a re
- CVE-2026-51924 - An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file uplo
- CVE-2026-51925 - A Local File Inclusion (LFI) vulnerability exists in docuForm GmbH Client v.11.11c that allows a remote attack
- CVE-2026-51926 - An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the
- CVE-2026-52762 - YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
- CVE-2026-52767 - YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via !openssl_verify(...) accepting int(-
- CVE-2026-52769 - YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub Signature.keyId
- CVE-2026-52770 - YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric query/queries filters
- CVE-2026-52771 - YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (ApiController::deletePage)
- CVE-2026-52775 - YesWiki has Authenticated SQL Injection via ReactionManager
- CVE-2026-53932 - laravel-backup-restore has an OS Command Injection during database restore
- CVE-2026-53963 - Discourse is an open-source discussion platform
- CVE-2026-53987 - The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the
- CVE-2026-54002 - Kirby is an open-source content management system
- CVE-2026-54005 - Kirby is an open-source content management system
- CVE-2026-54695 - Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents
- CVE-2026-54771 - Langroid is a framework for building large-language-model-powered applications
- CVE-2026-54801 - A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE
- CVE-2026-55207 - Pimcore is an Open Source Data & Experience Management Platform
- CVE-2026-55208 - Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio
- CVE-2026-55212 - Pimcore is an Open Source Data & Experience Management Platform
- CVE-2026-5523 - The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and inclu
- CVE-2026-55420 - Discourse is an open-source discussion platform
- CVE-2026-55424 - Discourse is an open-source discussion platform
- CVE-2026-55604 - DeepSeek MCP Server is an MCP server for DeepSeek V4
- CVE-2026-55865 - Python Liquid is a Python engine for the Liquid template language
- CVE-2026-56292 - A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered
- CVE-2026-57023 - An Improper Validation of Specified Quantity in Input vulnerability in the TCP proxy plugin of Juniper Network
- CVE-2026-57026 - An Improper Validation of Syntactic Correctness of Input vulnerability in the SIP plugin of Juniper Networks J
- CVE-2026-57028 - An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos
- CVE-2026-57111 - Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filt
- CVE-2026-58143 - Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticat
- CVE-2026-58378 - Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production
- CVE-2026-58459 - gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof th
- CVE-2026-59148 - Mockoon provides way to design and run mock APIs
- CVE-2026-59206 - n8n is an open source workflow automation platform
- CVE-2026-59207 - n8n is an open source workflow automation platform
- CVE-2026-59208 - n8n is an open source workflow automation platform
- CVE-2026-59209 - n8n is an open source workflow automation platform
- CVE-2026-59214 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform
- CVE-2026-59216 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform
- CVE-2026-59219 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform
- CVE-2026-59221 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform
- CVE-2026-59224 - Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform
- CVE-2026-59691 - A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin
- CVE-2026-59692 - A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin
- CVE-2026-59720 - Hoppscotch is an open source API development ecosystem
- CVE-2026-59721 - Hoppscotch is an open source API development ecosystem
- CVE-2026-59734 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-59832 - SiYuan is an open-source personal knowledge management system
- CVE-2026-59833 - SiYuan is an open-source personal knowledge management system
- CVE-2026-59834 - SiYuan is an open-source personal knowledge management system
- CVE-2026-59855 - SiYuan is an open-source personal knowledge management system
- CVE-2026-59856 - Vim is an open source, command line text editor
- CVE-2026-59858 - Vim is an open source, command line text editor
- CVE-2026-60108 - Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows un
- CVE-2026-60109 - Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that all
- CVE-2026-61343 - LibreBooking's email template editor save action passes the submitted template name directly into the destinat
- CVE-2026-8848 - The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for
- CVE-2026-9253 - The WP Cost Estimation & Payment Forms Builder (E&P Forms) plugin for WordPress is vulnerable to Stored Cross-
- CVE-2025-3110 - OpenVPN Access Server 2.7.2 through 3.1.0 accepts bare line-feed sequences inside HTTP header values, allowing
- CVE-2026-0288 - Multiple buffer overflow vulnerabilities in the User-ID Terminal Server Agent (TSA) component of Palo Alto Net
- CVE-2026-10037 - A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu
- CVE-2026-10706 - In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate u
- CVE-2026-10708 - This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets
- CVE-2026-13320 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7, 19.0 before 19
- CVE-2026-15107 - Use after free in IndexedDB in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbi
- CVE-2026-15110 - Use after free in Extensions in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user
- CVE-2026-15111 - Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker who convinced a use
- CVE-2026-15112 - Use after free in Ozone in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially expl
- CVE-2026-15114 - Out of bounds read and write in Codecs in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to p
- CVE-2026-15116 - Use after free in Actor in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrar
- CVE-2026-15117 - Use after free in Payments in Google Chrome prior to 150.0.7871.115 allowed a remote attacker who convinced a
- CVE-2026-15118 - Use after free in Input in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrar
- CVE-2026-15119 - Race in GetUserMedia in Google Chrome prior to 150.0.7871.115 allowed a remote attacker who had compromised th
- CVE-2026-15120 - Use after free in Core in Google Chrome on Windows prior to 150.0.7871.115 allowed a remote attacker who had c
- CVE-2026-15121 - Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitra
- CVE-2026-15122 - Insufficient validation of untrusted input in Codecs in Google Chrome on Windows prior to 150.0.7871.115 allow
- CVE-2026-15123 - Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to pote
- CVE-2026-15125 - Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to ex
- CVE-2026-15126 - Use after free in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrar
- CVE-2026-15129 - Use after free in Views in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially expl
- CVE-2026-15132 - Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrar
- CVE-2026-15133 - Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute
- CVE-2026-15167 - DBS Etherwatch file parser crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
- CVE-2026-29008 - U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function
- CVE-2026-29009 - U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c)
- CVE-2026-31309 - Improper authorization in the /tequilapi/config/user endpoint of Mysterium Node before v1.36.0 allows unauthen
- CVE-2026-3144 - IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unaut
- CVE-2026-35210 - OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables
- CVE-2026-35552 - In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authentic
- CVE-2026-44025 - Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop a
- CVE-2026-44160 - Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop a
- CVE-2026-44161 - Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop a
- CVE-2026-49464 - NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak
- CVE-2026-49471 - Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
- CVE-2026-49825 - lxml_html_clean.Cleaner does not strip javascript: URLs from namespaced URL attributes
- CVE-2026-49832 - DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN
- CVE-2026-50197 - Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
- CVE-2026-51535 - In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion (Denial of Service) vulnerability exists in its networ
- CVE-2026-53482 - Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10,
- CVE-2026-53951 - Copier is a library and CLI app for rendering project templates
- CVE-2026-54499 - Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many huma
- CVE-2026-54528 - JupyterLab Git is a Git extension for JupyterLab
- CVE-2026-54591 - AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 prot
- CVE-2026-54772 - CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core
- CVE-2026-54774 - CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core
- CVE-2026-54781 - CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core
- CVE-2026-54783 - CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core
- CVE-2026-54784 - CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core
- CVE-2026-55195 - py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and
- CVE-2026-55206 - py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and
- CVE-2026-55404 - yt-dlp and youtube-dl are command-line audio/video downloaders
- CVE-2026-55470 - HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java
- CVE-2026-55471 - HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java
- CVE-2026-55575 - LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript
- CVE-2026-55596 - Plate is a rich-text editor with AI and shadcn/ui
- CVE-2026-55760 - Handlebars.java provides logic-less and semantic Mustache templates with Java
- CVE-2026-55830 - RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a prog
- CVE-2026-55849 - @cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects
- CVE-2026-55878 - Symfony UX is a JavaScript ecosystem for Symfony
- CVE-2026-55999 - Local attackers with a X connection able to provide PCX fonts to the X server xorg-server before 21.2.24 and x
- CVE-2026-56000 - Local attackers with a X connection able to provide GLX commit to the X server xorg-server before 21.2.24 and
- CVE-2026-56001 - A heap buffer overflow in BitmapScaleBitmaps in libXfont2 before 2.0.8 due to an overflowing 32bit size could
- CVE-2026-56003 - A heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in libXfont2
- CVE-2026-56297 - FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_recei
- CVE-2026-56669 - Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-ser
- CVE-2026-56776 - n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/{workflowId}/t
- CVE-2026-57239 - The user-controllable executable files will be directly executed by high-privilege processes, allowing low-pri
- CVE-2026-57256 - When the application opens a PDF and executes JavaScript, it performs abnormal operations on the list box fiel
- CVE-2026-57480 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js
- CVE-2026-58192 - Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver proto
- CVE-2026-58207 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system
- CVE-2026-58210 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system
- CVE-2026-58213 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system
- CVE-2026-58250 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system
- CVE-2026-58253 - NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system
- CVE-2026-58525 - Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a securit
- CVE-2026-59257 - n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the
- CVE-2026-59723 - Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant
- CVE-2026-59731 - Astro is a web framework for content-driven websites
- CVE-2026-59802 - PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in th
- CVE-2026-59803 - rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.De
- CVE-2026-59804 - Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS mis
- CVE-2026-59805 - Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that all
- CVE-2026-59806 - Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attac
- CVE-2026-59807 - Composio SDK before 0.2.32-beta.283 contains a path validation bypass vulnerability that allows attackers to r
- CVE-2026-59822 - LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format
- CVE-2026-59869 - js-yaml is a JavaScript YAML parser and dumper
- CVE-2026-59873 - node-tar is a tar archive manipulation library for Node.js
- CVE-2026-59874 - node-tar is a tar archive manipulation library for Node.js
- CVE-2026-59879 - Immutable.js provides many Persistent Immutable data structures
- CVE-2026-59880 - Immutable.js provides many Persistent Immutable data structures
- CVE-2026-59887 - linkify-it is a links recognition library with full Unicode support
- CVE-2026-59922 - Mistune is a Python Markdown parser with renderers and plugins
- CVE-2026-59935 - pypdf is a free and open-source pure-python PDF library
- CVE-2026-59936 - pypdf is a free and open-source pure-python PDF library
- CVE-2026-59937 - pypdf is a free and open-source pure-python PDF library
- CVE-2026-59939 - httplib2 is a comprehensive HTTP client library for Python
- CVE-2026-59948 - Composer is a dependency Manager for the PHP language
- CVE-2026-60002 - ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchan
- CVE-2026-60104 - Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body be
- CVE-2026-60105 - Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action ca
- CVE-2026-6896 - GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0
- CVE-2025-46719 - Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeov
- CVE-2026-13020 - A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and e
- CVE-2026-14380 - DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
- CVE-2026-26192 - Open WebUI vulnerable to Stored XSS via iFrame in citations model
- CVE-2026-26193 - Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages
- CVE-2026-33655 - New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
- CVE-2026-34044 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-34151 - XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+
- CVE-2026-34152 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-40187 - EGroupware has Authenticated RCE via Malicious eTemplate Upload
- CVE-2026-48948 - An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible
- CVE-2026-48957 - An improper access check allows unauthorized users to access com_privacy datasets
- CVE-2026-48958 - An improper access check allows unauthorized users to create custom fields via webservices endpoints
- CVE-2026-49229 - Actual is a local-first personal finance app
- CVE-2026-53514 - Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
- CVE-2026-53516 - Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
- CVE-2026-53517 - Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
- CVE-2026-53518 - @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race t
- CVE-2026-53530 - ratex-parser panics on \verb with a multibyte delimiter (UTF-8 byte-boundary slice)
- CVE-2026-53553 - Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
- CVE-2026-53730 - DataEase is an open source data visualization and analysis tool
- CVE-2026-55077 - Coder allows organizations to provision remote development environments via Terraform
- CVE-2026-55255 - Langflow Authorization Bypass Through User-Controlled Key Vulnerability
- CVE-2026-55418 - FastGPT is an open source AI knowledge base platform
- CVE-2026-55635 - DataEase is an open source data visualization and analysis tool
- CVE-2026-56290 - Joomlack Page Builder Improper Access Control Vulnerability
- CVE-2026-56811 - Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket
- CVE-2026-56812 - Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaS
- CVE-2026-57851 - MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver
- CVE-2026-58384 - A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap
- CVE-2026-59704 - Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video
- CVE-2026-59708 - The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validatin
- CVE-2026-13698 - A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allow
- CVE-2026-14536 - Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows
- CVE-2026-25271 - Memory Corruption when processing asynchronous input parameters due to improper handling of modified values be
- CVE-2026-40138 - A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Suppo
- CVE-2026-40140 - BeyondTrust Remote Support and Privileged Remote Access contain a high-severity pre-authentication vulnerabili
- CVE-2026-44937 - Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0
- CVE-2026-54765 - Traefik is an open source HTTP reverse proxy and load balancer
- CVE-2026-55574 - vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs
- CVE-2026-58380 - A flaw was found in GIMP's PNM file format parser
- CVE-2026-59712 - Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated
- CVE-2026-59713 - Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns tr
- CVE-2026-14535 - In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditional
- CVE-2026-11352 - An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of se
- CVE-2026-11586 - By default, curl automatically responds to WebSocket PING frames
- CVE-2026-12064 - When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect oc
- CVE-2026-13053 - An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged u
- CVE-2026-13054 - A path traversal vulnerability in the WatchGuard Fireware OS Management Web UI allows a privileged authenticat
- CVE-2026-13079 - A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a l
- CVE-2026-13383 - An Out-of-bounds Write vulnerability in WatchGuard Fireware OS ikestubd process could allow an authenticated p
- CVE-2026-13384 - An Out-of-bounds Write vulnerability in WatchGuard Fireware OS wgagent process could allow an authenticated pr
- CVE-2026-26307 - Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to con
- CVE-2026-47896 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene
- CVE-2026-47897 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene
- CVE-2026-57983 - Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security
- CVE-2026-57984 - Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a netwo
- CVE-2026-57985 - Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code o
- CVE-2026-58293 - External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to ex
- CVE-2026-58297 - Exposure of private personal information to an unauthorized actor in Microsoft Edge for Android allows an unau
- CVE-2026-38969 - ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling req
- CVE-2026-44454 - Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
- CVE-2026-44941 - A relative path traversal in the keyhint option in repomd.xml parsing of libzypp before 17.38.12 can be used
- CVE-2026-54401 - A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (S
- CVE-2026-54408 - A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in U
- CVE-2026-54409 - A malicious actor with access to the network and under certain conditions could exploit an Improper Initializa
- CVE-2026-55112 - A malicious actor with access to the network and low privileges and under certain conditions could exploit an
- CVE-2026-55952 - The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1
- CVE-2026-9272 - In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who i
- CVE-2022-37331 - Open Babel has out-of-bounds write in Gaussian coords_type orientation parser
- CVE-2022-41793 - Open Babel has out-of-bounds write in CSR PadString (title field)
- CVE-2022-42885 - Open Babel has uninitialized pointer dereference in GRO residue parser
- CVE-2022-43467 - Open Babel has out-of-bounds write in PQS coord_file parser
- CVE-2022-43607 - Open Babel has out-of-bounds write in MOL2 attribute/value parser
- CVE-2022-44451 - Open Babel has uninitialized pointer dereference in MSI atom parser
- CVE-2022-46280 - Open Babel has uninitialized pointer dereference in PQS pFormat
- CVE-2022-46289 - Open Babel has out-of-bounds write in ORCA nAtoms parser
- CVE-2022-46290 - Open Babel has out-of-bounds write in ORCA nAtoms parser (second variant)
- CVE-2022-46291 - Open Babel has out-of-bounds write in Gaussian translationVectors[]
- CVE-2022-46293 - Open Babel has out-of-bounds write in MOPAC translationVectors[] (FINAL POINT)
- CVE-2022-46294 - Open Babel has out-of-bounds write in MOPAC IN translationVectors[] (Tv atom)
- CVE-2022-46295 - Open Babel has out-of-bounds write in MSI translationVectors[]
- CVE-2025-10997 - Open Babel has heap buffer overflow in ChemKin ChemKinFormat::CheckSpecies
- CVE-2026-10538 - Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction
- CVE-2026-10750 - The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP too
- CVE-2026-11568 - The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or p
- CVE-2026-11794 - The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the
- CVE-2026-11823 - The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_se
- CVE-2026-11883 - The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-fact
- CVE-2026-12142 - The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Sc
- CVE-2026-12158 - The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Reques
- CVE-2026-12224 - The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint
- CVE-2026-1239 - The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthori
- CVE-2026-12575 - DVP80ES3 with Improper Resource Shutdown or Release vulnerability
- CVE-2026-12576 - DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnera
- CVE-2026-12579 - AS228T with Authentication Bypass Vulnerability
- CVE-2026-12923 - The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and inclu
- CVE-2026-13228 - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Priv
- CVE-2026-13468 - The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to auth
- CVE-2026-13706 - Improper input validation vulnerability in Wikimedia Foundation UrlShortener
- CVE-2026-13731 - The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to St
- CVE-2026-14181 - @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone e
- CVE-2026-14191 - An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5:
- CVE-2026-14193 - DVP80ES300T with Improper Validation of Array Index Vulnerability
- CVE-2026-14265 - Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapp
- CVE-2026-20191 - A vulnerability in Cisco Catalyst Center could allow an unauthenticated, remote attacker to read arbitrary fil
- CVE-2026-20213 - A vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to caus
- CVE-2026-20214 - A vulnerability in the FSG file format parser of ClamAV could allow an unauthenticated, remote attacker to cau
- CVE-2026-20215 - A vulnerability in the 7z file format parser of ClamAV could allow an unauthenticated, remote attacker to caus
- CVE-2026-20216 - A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attac
- CVE-2026-20217 - A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to
- CVE-2026-20243 - A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cau
- CVE-2026-20244 - A vulnerability in the DMG file format parser of ClamAV could allow an unauthenticated, remote attacker to cau
- CVE-2026-20458 - In Modem, there is a possible memory corruption due to a missing bounds check
- CVE-2026-24240 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of unt
- CVE-2026-24242 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause server-side request fo
- CVE-2026-24243 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of unt
- CVE-2026-24244 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of unt
- CVE-2026-24245 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of unt
- CVE-2026-24246 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dy
- CVE-2026-24247 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of unt
- CVE-2026-24248 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of co
- CVE-2026-24249 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of unt
- CVE-2026-24250 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper validation of
- CVE-2026-24251 - NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dy
- CVE-2026-24260 - NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time
- CVE-2026-24264 - NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handlin
- CVE-2026-39379 - GeoNetwork has reflected XSS through client-side template injection
- CVE-2026-46487 - GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field
- CVE-2026-50043 - Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in Sky
- CVE-2026-5120 - A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a
- CVE-2026-5136 - A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments agains
- CVE-2026-53488 - containerd is an open-source container runtime
- CVE-2026-54592 - Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem
- CVE-2026-57516 - Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows atta
- CVE-2026-58036 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki
- CVE-2026-58452 - JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain an OS command injection vulnerabi
- CVE-2026-58454 - JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a remote code execution vulnerabi
- CVE-2026-6682 - In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats
- CVE-2026-6687 - FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabe
- CVE-2026-6688 - FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename
- CVE-2026-7517 - The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting
- CVE-2026-7829 - UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule pa
- CVE-2026-7830 - UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme (rfbUltraVNC_Ms
- CVE-2026-7831 - UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message han
- CVE-2026-7838 - UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB prot
- CVE-2026-8857 - A vulnerability in Wikimedia Foundation timeline
- CVE-2025-10996 - Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles
- CVE-2025-24815 - Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type valida
- CVE-2025-36359 - IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which c
- CVE-2025-71349 - picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, al
- CVE-2025-71350 - picklescan before 0.0.28 fails to detect malicious pickle files using torch.utils.collect_env.run function in
- CVE-2025-71352 - picklescan before 0.0.29 fails to detect the built-in Python trace.Trace.runctx function when used in pickle f
- CVE-2025-71363 - picklescan before 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attack
- CVE-2025-71368 - picklescan before 0.0.30 fails to detect the doctest.debug_script function when analyzing pickle files, allowi
- CVE-2025-71371 - picklescan before 0.0.29 fails to detect malicious pickle files using code.InteractiveInterpreter.runcode in r
- CVE-2025-71374 - picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle
- CVE-2025-7406 - Nokia MantaRay NM is vulnerable to a sudo privilege escalation vulnerability where a local attacker possessing
- CVE-2026-10129 - IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerabi
- CVE-2026-10513 - The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and includi
- CVE-2026-10546 - IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL co
- CVE-2026-10560 - IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_t
- CVE-2026-10564 - IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF)
- CVE-2026-11541 - IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through
- CVE-2026-11546 - IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forg
- CVE-2026-11589 - The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploade
- CVE-2026-11590 - The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied ar
- CVE-2026-11594 - IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the admin
- CVE-2026-11714 - IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forg
- CVE-2026-11806 - IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vul
- CVE-2026-12240 - The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file pa
- CVE-2026-12243 - NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504
- CVE-2026-13207 - FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalizatio
- CVE-2026-13449 - IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity inje
- CVE-2026-13759 - IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStr
- CVE-2026-13772 - IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied
- CVE-2026-13774 - Use after free in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user
- CVE-2026-13777 - Insufficient validation of untrusted input in iOSWeb in Google Chrome on iOS prior to 150.0.7871.47 allowed a
- CVE-2026-13778 - Use after free in WebUSB in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to execute ar
- CVE-2026-13779 - Use after free in Chromoting in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker to
- CVE-2026-13783 - Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user
- CVE-2026-13786 - Use after free in Ozone in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary
- CVE-2026-13787 - Use after free in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to e
- CVE-2026-13788 - Use after free in Fullscreen in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to e
- CVE-2026-13791 - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 150.0.7871.47 allowed an att
- CVE-2026-13794 - Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.4
- CVE-2026-13799 - Use after free in QUIC in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploi
- CVE-2026-13800 - Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local att
- CVE-2026-13801 - Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compr
- CVE-2026-13802 - Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user
- CVE-2026-13803 - Type Confusion in Chrome Tabs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compro
- CVE-2026-13804 - Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had comprom
- CVE-2026-13805 - Use after free in GFX in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to execute arbi
- CVE-2026-13806 - Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a
- CVE-2026-13807 - Use after free in Import in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convince
- CVE-2026-13811 - Use after free in IME in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary c
- CVE-2026-13813 - Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a rem
- CVE-2026-13814 - Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user
- CVE-2026-13815 - Use after free in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary
- CVE-2026-13817 - Insufficient validation of untrusted input in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote at
- CVE-2026-13819 - Out of bounds read in ANGLE in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had c
- CVE-2026-13821 - Use after free in Canvas in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrar
- CVE-2026-13823 - Use after free in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised t
- CVE-2026-13824 - Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacke
- CVE-2026-13825 - Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exp
- CVE-2026-13827 - Use after free in Updater in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to perform p
- CVE-2026-13829 - Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allo
- CVE-2026-13830 - Use after free in Chromoting in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to exe
- CVE-2026-13831 - Out of bounds read and write in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had
- CVE-2026-13832 - Use after free in Headless in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromis
- CVE-2026-13834 - Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote a
- CVE-2026-13835 - Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to poten
- CVE-2026-13841 - Integer overflow in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised
- CVE-2026-13844 - Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perfo
- CVE-2026-13845 - Use after free in DOM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary c
- CVE-2026-13848 - Use after free in Forms in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary
- CVE-2026-13849 - Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 al
- CVE-2026-13850 - Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 al
- CVE-2026-13855 - Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinc
- CVE-2026-13856 - Insufficient validation of untrusted input in Speech in Google Chrome on Android prior to 150.0.7871.47 allowe
- CVE-2026-13863 - Insufficient validation of untrusted input in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 al
- CVE-2026-13864 - Insufficient policy enforcement in WebHID in Google Chrome prior to 150.0.7871.47 allowed an attacker who conv
- CVE-2026-13870 - Use after free in WebView in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to exec
- CVE-2026-13884 - Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to execute arb
- CVE-2026-13885 - Use after free in Skia in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute
- CVE-2026-13888 - Use after free in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbi
- CVE-2026-13891 - Insufficient validation of untrusted input in Extensions in Google Chrome prior to 150.0.7871.47 allowed a rem
- CVE-2026-13897 - Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacke
- CVE-2026-13898 - Use after free in Cast Receiver in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute a
- CVE-2026-13899 - Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary
- CVE-2026-13903 - Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker
- CVE-2026-13915 - Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who
- CVE-2026-13918 - Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to p
- CVE-2026-13925 - Inappropriate implementation in Downloads in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote
- CVE-2026-13927 - Insufficient validation of untrusted input in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a
- CVE-2026-13928 - Insufficient validation of untrusted input in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a rem
- CVE-2026-13965 - Use after free in Oilpan in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrar
- CVE-2026-13967 - Heap buffer overflow in V8 in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitr
- CVE-2026-13968 - Insufficient validation of untrusted input in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remot
- CVE-2026-14005 - Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who con
- CVE-2026-14006 - Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbi
- CVE-2026-14009 - Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to
- CVE-2026-14011 - Out of bounds read in SurfaceCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perf
- CVE-2026-14018 - Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perfo
- CVE-2026-14024 - Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinc
- CVE-2026-14025 - Use after free in Views in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced
- CVE-2026-14027 - Use after free in SignIn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a use
- CVE-2026-14032 - Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a
- CVE-2026-14036 - Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker
- CVE-2026-14040 - Use after free in BrowserTag in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user
- CVE-2026-14041 - Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to
- CVE-2026-14060 - Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 al
- CVE-2026-14064 - Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who co
- CVE-2026-14067 - Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to e
- CVE-2026-14078 - Insufficient validation of untrusted input in WebRTC in Google Chrome prior to 150.0.7871.47 allowed a remote
- CVE-2026-14084 - Insufficient validation of untrusted input in Chromoting in Google Chrome prior to 150.0.7871.47 allowed a rem
- CVE-2026-14086 - Insufficient policy enforcement in HID in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to ex
- CVE-2026-14087 - Heap buffer overflow in WebNN in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who
- CVE-2026-14091 - Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitr
- CVE-2026-14094 - Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to per
- CVE-2026-14099 - Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who
- CVE-2026-14102 - Use after free in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially e
- CVE-2026-14104 - Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a
- CVE-2026-14107 - Use after free in Scheduling in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbi
- CVE-2026-14108 - Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrar
- CVE-2026-14111 - Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user
- CVE-2026-14114 - Inappropriate implementation in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a lo
- CVE-2026-14115 - Insufficient validation of untrusted input in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote at
- CVE-2026-14121 - Use after free in Chromoting in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to exe
- CVE-2026-14122 - Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.4
- CVE-2026-14124 - Inappropriate implementation in CredentialProvider in Google Chrome on Windows prior to 150.0.7871.47 allowed
- CVE-2026-14149 - Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute
- CVE-2026-14161 - Hospital Quening Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unaut
- CVE-2026-14164 - A double free issue has been identified in libarchive's RAR5 reader
- CVE-2026-27957 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-35505 - An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory
- CVE-2026-41053 - Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provid
- CVE-2026-44628 - An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a va
- CVE-2026-47198 - Paymenter has URL parameter injection that bypasses paid plan limits at checkout
- CVE-2026-48285 - ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerabi
- CVE-2026-48307 - ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnera
- CVE-2026-48795 - @adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
- CVE-2026-49432 - Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp
- CVE-2026-49434 - Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All
- CVE-2026-49451 - Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing
- CVE-2026-49473 - @cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
- CVE-2026-49478 - Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Se
- CVE-2026-49821 - Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
- CVE-2026-49822 - Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
- CVE-2026-49823 - Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
- CVE-2026-49824 - Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
- CVE-2026-49877 - Improper Authorization vulnerability in Apache ActiveMQ
- CVE-2026-50254 - An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory
- CVE-2026-50734 - Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache A
- CVE-2026-50750 - Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ
- CVE-2026-52195 - Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a d
- CVE-2026-52196 - Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a d
- CVE-2026-52197 - An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via
- CVE-2026-52868 - An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist st
- CVE-2026-53916 - Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache Acti
- CVE-2026-53917 - Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache Acti
- CVE-2026-54475 - Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
- CVE-2026-54672 - electron-updater allows for automatic updates for Electron apps
- CVE-2026-56137 - RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc
- CVE-2026-56219 - Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac functio
- CVE-2026-56230 - Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accep
- CVE-2026-56233 - Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenti
- CVE-2026-56247 - Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role s
- CVE-2026-56249 - Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that all
- CVE-2026-56264 - Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /exe
- CVE-2026-56286 - Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that al
- CVE-2026-56300 - Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for
- CVE-2026-56320 - Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supp
- CVE-2026-56808 - DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may l
- CVE-2026-57080 - Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire messa
- CVE-2026-57081 - Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded inpu
- CVE-2026-57585 - MessagePack is the serializer implementation for Python msgpack.org
- CVE-2026-57995 - phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that
- CVE-2026-58014 - A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in t
- CVE-2026-58016 - A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusint
- CVE-2026-58165 - OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows aut
- CVE-2026-58168 - DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users
- CVE-2026-58169 - Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote att
- CVE-2026-58170 - Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto
- CVE-2026-58302 - rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation
- CVE-2026-58370 - Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author
- CVE-2026-58372 - SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler t
- CVE-2026-58375 - JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler i
- CVE-2026-58376 - Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authentic
- CVE-2026-58377 - JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege
- CVE-2026-8141 - The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxono
- CVE-2026-8451 - Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler A
- CVE-2025-2902 - Improper Authorization Vulnerability of Maintenance Utility in Hitachi Virtual Storage Platform
- CVE-2026-10083 - The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in
- CVE-2026-11979 - libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --she
- CVE-2026-12856 - A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code
- CVE-2026-12912 - A flaw was found in libtiff. A remote attacker could exploit this vulnerability by providing a specially craft
- CVE-2026-13519 - A vulnerability was found in Tenda JD12L 16.03.53.23
- CVE-2026-13555 - A vulnerability was found in itsourcecode Online Hotel Management System 1.0
- CVE-2026-13565 - A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php
- CVE-2026-13566 - A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0
- CVE-2026-13568 - A weakness has been identified in SourceCodester Inventory Management System 1.0
- CVE-2026-13580 - A security vulnerability has been detected in Edimax EW-7478APC 1.04
- CVE-2026-13582 - A flaw has been found in Edimax EW-7478APC 1.04
- CVE-2026-13583 - A vulnerability has been found in Edimax EW-7478APC 1.04
- CVE-2026-13592 - A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4
- CVE-2026-13676 - fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family U
- CVE-2026-13744 - Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed uninten
- CVE-2026-13749 - Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior
- CVE-2026-22078 - Because O+ Connect's IPC service does not authenticate clients, external applications can escalate privileges
- CVE-2026-25707 - A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be
- CVE-2026-34592 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-34594 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-34597 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-36848 - Gigamon GVOS v5.16.1 and below is vulnerable to Directory Traversal in the GVOS H-VUE subsystem
- CVE-2026-40521 - FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that al
- CVE-2026-40522 - FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that
- CVE-2026-40523 - FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that al
- CVE-2026-40524 - FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function whe
- CVE-2026-41896 - Coolify is an open-source and self-hostable tool for managing servers, applications, and databases
- CVE-2026-41992 - GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reu
- CVE-2026-43701 - The issue was addressed with improved checks
- CVE-2026-43705 - A type confusion issue was addressed with improved checks
- CVE-2026-43715 - A use-after-free issue was addressed with improved memory management
- CVE-2026-43724 - The issue was addressed with improved input sanitization
- CVE-2026-43725 - The issue was addressed with improved input validation
- CVE-2026-43731 - A use-after-free issue was addressed with improved memory management
- CVE-2026-43735 - The issue was addressed with improved checks
- CVE-2026-44840 - Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query
- CVE-2026-47424 - OpenAM Authenticated RCE via Groovy Sandbox Escape
- CVE-2026-47426 - OpenAM OAuth Client Impersonation via JWKS Resolver Cache
- CVE-2026-48558 - SimpleHelp Authentication Bypass Vulnerability
- CVE-2026-49049 - The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arb
- CVE-2026-51221 - A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to
- CVE-2026-53404 - Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the
- CVE-2026-54369 - acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl
- CVE-2026-54371 - attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities th
- CVE-2026-55607 - Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed crea
- CVE-2026-55844 - Home Assistant is open source home automation software that puts local control and privacy first
- CVE-2026-55957 - Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to au
- CVE-2026-56017 - JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first me
- CVE-2026-56018 - JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbound
- CVE-2026-56124 - phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote a
- CVE-2026-56285 - Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardco
- CVE-2026-56780 - Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{p
- CVE-2026-57320 - Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions
- CVE-2026-57332 - Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions
- CVE-2026-57333 - Unauthenticated Cross Site Scripting (XSS) in Link Whisper Free <= 0.9.4 versions
- CVE-2026-57336 - Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions
- CVE-2026-57337 - Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions
- CVE-2026-57338 - Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions
- CVE-2026-57346 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Epiphyt Embed
- CVE-2026-57919 - PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS)
- CVE-2026-57947 - Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoi
- CVE-2026-57950 - ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSa
- CVE-2026-57955 - SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute a
- CVE-2026-57999 - luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method t
- CVE-2026-58000 - luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the
- CVE-2026-7656 - The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_
- CVE-2026-8023 - Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STAT
- CVE-2026-10643 - Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validate
- CVE-2026-10646 - Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a
- CVE-2026-13485 - SourceCodester preview course_year_section SQL injection
- CVE-2026-13485 - SourceCodester preview.php course_year_section SQL injection
- CVE-2026-13486 - SourceCodester preview6 course_year_section SQL injection
- CVE-2026-13486 - SourceCodester preview6.php course_year_section SQL injection
- CVE-2026-13487 - SourceCodester archive sy SQL injection
- CVE-2026-13487 - SourceCodester archive.php sy SQL injection
- CVE-2026-13488 - SourceCodester preview7 course_year_section SQL injection
- CVE-2026-13488 - SourceCodester preview7.php course_year_section SQL injection
- CVE-2026-13498 - restaurant-management-system forgotpassword email SQL injection
- CVE-2026-13500 - ANTLR4 grammar action block code injection
- CVE-2026-58049 - FFmpeg RASC decoder DLTA row out-of-bounds write
- CVE-2026-58049 - FFmpeg RASC DLTA decoder out-of-bounds heap write
- CVE-2026-58050 - libssh2 publickey attribute count integer overflow
- CVE-2026-58050 - libssh2 publickey attribute count integer overflow
- CVE-2026-58054 - MyBB limited ACP user group privilege escalation
- CVE-2026-58054 - MyBB limited ACP user management administrator escalation
- CVE-2026-58056 - RustDesk file-transfer session control authorization bypass
- CVE-2026-58056 - RustDesk file-transfer session control-scope bypass
- CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion
- CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion
- CVE-2023-37524 - HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being ou
- CVE-2026-10820 - The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content Wor
- CVE-2026-45258 - dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length a
- CVE-2026-49338 - gonic playlist path traversal
- CVE-2026-49339 - gonic playlist ownership bypass
- CVE-2026-49340 - gonic playlist arbitrary file write
- CVE-2026-49412 - The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from u
- CVE-2026-49413 - The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process fl
- CVE-2026-49414 - The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that comp
- CVE-2026-49416 - The CONS_HISTORY ioctl handler did not adequately validate the requested history size
- CVE-2026-49417 - Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping r
- GHSA-72r4-9c5j-mj57 - pnpm better-node-range CPU exhaustion
- GHSA-fr4h-3cph-29xv - pnpm protocol specifier bypass
- GHSA-qrv3-253h-g69c - pnpm configDependencies symlink traversal
- CVE-2026-11625 - Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
- CVE-2026-11702 - Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
- CVE-2026-13372 - Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Ma
- CVE-2026-2053 - The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently va
- CVE-2026-21734 - A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a wri
- CVE-2026-31928 - The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls,
- CVE-2026-32833 - Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that al
- CVE-2026-32833 - Cudy LT300 NTP configuration command injection
- CVE-2026-33560 - The DMP-5000 file service exposes authenticated arbitrary file upload functionality
- CVE-2026-36478 - An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via
- CVE-2026-38639 - An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a D
- CVE-2026-38641 - An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Serv
- CVE-2026-45195 - Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigg
- CVE-2026-45807 - Kestra is an open-source, event-driven orchestration platform
- CVE-2026-46604 - The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset
- CVE-2026-46619 - OpenAM Authentication Bypass via MSISDN LDAP Injection
- CVE-2026-46623 - OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
- CVE-2026-46710 - Notepad++ is a free and open-source source code editor
- CVE-2026-47220 - Envoy is an open source edge and service proxy designed for cloud-native applications
- CVE-2026-48042 - Envoy is an open source edge and service proxy designed for cloud-native applications
- CVE-2026-48044 - Envoy is an open source edge and service proxy designed for cloud-native applications
- CVE-2026-48615 - A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messa
- CVE-2026-48619 - A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead
- CVE-2026-48743 - Envoy is an open source edge and service proxy designed for cloud-native applications
- CVE-2026-48778 - Notepad++ is a free and open-source source code editor
- CVE-2026-48788 - Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
- CVE-2026-48800 - Notepad++ is a free and open-source source code editor
- CVE-2026-48801 - LinkifyIt#match scan loop has quadratic algorithmic complexity
- CVE-2026-48802 - python-engineio has unbound thread allocation that can cause denial of service
- CVE-2026-48804 - python-socketio: Binary attachment accumulation can cause denial of service
- CVE-2026-48809 - python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
- CVE-2026-48933 - A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a multi
- CVE-2026-48979 - PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling
- CVE-2026-49258 - Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)
- CVE-2026-49260 - php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (m
- CVE-2026-49286 - PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
- CVE-2026-49287 - Statamic CMS's unsafe method invocation via collection sorting allows data destruction
- CVE-2026-49291 - mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
- CVE-2026-49293 - js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
- CVE-2026-49357 - Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
- CVE-2026-49984 - Kestra is an open-source, event-driven orchestration platform
- CVE-2026-49991 - RustFS is a distributed object storage system built in Rust
- CVE-2026-50016 - pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
- CVE-2026-50132 - Budibase is an open-source low-code platform
- CVE-2026-50136 - Budibase is an open-source low-code platform
- CVE-2026-50741 - Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd
- CVE-2026-52783 - OpenProject is open-source, web-based project management software
- CVE-2026-52884 - Notepad++ is a free and open-source source code editor
- CVE-2026-53281 - In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference
- CVE-2026-53284 - In the Linux kernel, the following vulnerability has been resolved: btrfs: only release the dirty pages io tre
- CVE-2026-53286 - In the Linux kernel, the following vulnerability has been resolved: idpf: fix double free and use-after-free i
- CVE-2026-53290 - In the Linux kernel, the following vulnerability has been resolved: drm/xe/eustall: Fix drm_dev_put called bef
- CVE-2026-53294 - In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: don't free the reus
- CVE-2026-53296 - In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: free channels on pr
- CVE-2026-53300 - In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix NTMP DMA use-after-free is
- CVE-2026-53322 - In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Clean up DMABUFs before disablin
- CVE-2026-54351 - Budibase is an open-source low-code platform
- CVE-2026-54353 - Budibase is an open-source low-code platform
- CVE-2026-54826 - Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions
- CVE-2026-54835 - Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions
- CVE-2026-55069 - Kestra is an open-source, event-driven orchestration platform
- CVE-2026-55189 - RustFS is a distributed object storage system built in Rust
- CVE-2026-55975 - A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML f
- CVE-2026-56008 - Contributor Privilege Escalation in Fusion Builder <= 3.15.4 versions
- CVE-2026-56041 - Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions
- CVE-2026-56061 - Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions
- CVE-2026-56414 - A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to
- CVE-2026-56876 - extract-zip does not validate symlink targets when extracting zip archives
- CVE-2026-57314 - Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions
- CVE-2026-57321 - Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions
- CVE-2026-5757 - Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an at
- CVE-2026-57642 - Contributor SQL Injection in Gallery <= 4.7.8 versions
- CVE-2026-57667 - Sales Representative SQL Injection in Groundhogg <= 4.5 versions
- CVE-2026-57915 - It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an un
- CVE-2026-9221 - The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a
- CVE-2026-9640 - A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before
- CVE-2025-60464 - A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box
- CVE-2025-71324 - Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-
- CVE-2025-71328 - Flowise before 3.0.10 contains an unverified password change vulnerability
- CVE-2025-71335 - Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session
- CVE-2026-10097 - wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext byte
- CVE-2026-10512 - The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular red
- CVE-2026-11310 - X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert())
- CVE-2026-11703 - wolfSSL SNI/ALPN session resumption binding bypass
- CVE-2026-11703 - wolfSSL TLS resumption SNI ALPN binding bypass
- CVE-2026-11800 - A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow a
- CVE-2026-11999 - X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X5
- CVE-2026-12053 - GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain
- CVE-2026-12077 - The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longi
- CVE-2026-12244 - If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a
- CVE-2026-12245 - NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of
- CVE-2026-12246 - NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted
- CVE-2026-12340 - Out-of-bounds heap read during SM2/SM3 certificate signature verification
- CVE-2026-12490 - When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client ce
- CVE-2026-12569 - PTC Windchill and FlexPLM Improper Input Validation Vulnerability
- CVE-2026-12975 - A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory w
- CVE-2026-12992 - A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling th
- CVE-2026-20230 - Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability
- CVE-2026-27366 - Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions
- CVE-2026-39829 - golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS
- CVE-2026-39951 - Cacti is an open source performance and fault management framework
- CVE-2026-40083 - Cacti is an open source performance and fault management framework
- CVE-2026-46597 - golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic
- CVE-2026-46733 - Dell Display and Peripheral Manager (DDPM Windows), versions prior to 2.3, contain an Improper Access Control
- CVE-2026-46734 - Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Certificate Validat
- CVE-2026-48702 - Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic
- CVE-2026-48708 - OliveTin template race command contamination
- CVE-2026-48995 - pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whate
- CVE-2026-49218 - ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions
- CVE-2026-53132 - In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential unbounded skb
- CVE-2026-53133 - In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix truncation for block sizes
- CVE-2026-53136 - In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer
- CVE-2026-53137 - In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp HDMI HDCP2 rx_id_li
- CVE-2026-53138 - In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Bound VBIOS record-chain
- CVE-2026-53143 - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA qu
- CVE-2026-53145 - In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, a
- CVE-2026-53146 - In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Limit XDomain response copy t
- CVE-2026-53147 - In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request pack
- CVE-2026-53148 - In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data c
- CVE-2026-53153 - In the Linux kernel, the following vulnerability has been resolved: mm/list_lru: drain before clearing xarray
- CVE-2026-53157 - In the Linux kernel, the following vulnerability has been resolved: net: phonet: free phonet_device after RCU
- CVE-2026-53160 - In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in
- CVE-2026-53161 - In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastr
- CVE-2026-53162 - In the Linux kernel, the following vulnerability has been resolved: memcg: use round-robin victim selection in
- CVE-2026-53165 - In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio->mapping
- CVE-2026-53170 - In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uni
- CVE-2026-53171 - In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dma
- CVE-2026-53172 - In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-
- CVE-2026-53173 - In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix OOB write in ethosu_gem_
- CVE-2026-53174 - In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_ca
- CVE-2026-53178 - In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: rtw_mlme: add bounds c
- CVE-2026-53180 - In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix livelock in tmigr_ha
- CVE-2026-53182 - In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR li
- CVE-2026-53183 - In the Linux kernel, the following vulnerability has been resolved: mptcp: allow subflow rcv wnd to shrink In
- CVE-2026-53184 - In the Linux kernel, the following vulnerability has been resolved: udp: clear skb->dev before running a sockm
- CVE-2026-53185 - In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_writ
- CVE-2026-53187 - In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate cpu_id against nr_cpu_
- CVE-2026-53188 - In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate the passed in fops for
- CVE-2026-53189 - In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: update file PMD counter be
- CVE-2026-53191 - In the Linux kernel, the following vulnerability has been resolved: io_uring/net: inherit IORING_CQE_F_BUF_MOR
- CVE-2026-53192 - In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_par
- CVE-2026-53193 - In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instance
- CVE-2026-53194 - In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buff
- CVE-2026-53198 - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred fi
- CVE-2026-53199 - In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: use kmap_local_page in netvsc_c
- CVE-2026-53200 - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: nv: Fix handling of XN[0] when
- CVE-2026-53201 - In the Linux kernel, the following vulnerability has been resolved: Revert drm/xe: Skip exec queue schedule t
- CVE-2026-53202 - In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix signed integer truncation
- CVE-2026-53203 - In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add buffer overflow check in M
- CVE-2026-53205 - In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add bounds checks for firmware
- CVE-2026-53209 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: reject oversized Broa
- CVE-2026-53212 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix use-after-free
- CVE-2026-53217 - In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: sync RX data at the hardware p
- CVE-2026-53223 - In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error q
- CVE-2026-53229 - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdp_frame leak
- CVE-2026-53230 - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix slab-out-of-bounds in mlx5_q
- CVE-2026-53232 - In the Linux kernel, the following vulnerability has been resolved: net: phy: clean the sfp upstream if phy pr
- CVE-2026-53233 - In the Linux kernel, the following vulnerability has been resolved: netdev: fix double-free in netdev_nl_bind_
- CVE-2026-53234 - In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during
- CVE-2026-53235 - In the Linux kernel, the following vulnerability has been resolved: net: add pskb_may_pull() to skb_gro_receiv
- CVE-2026-53239 - In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexac
- CVE-2026-53240 - In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix use-after-free on first_s
- CVE-2026-53242 - In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption
- CVE-2026-53244 - In the Linux kernel, the following vulnerability has been resolved: VFS: fix possible failure to unlock in nfs
- CVE-2026-53248 - In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadat
- CVE-2026-53250 - In the Linux kernel, the following vulnerability has been resolved: xsk: cache csum_start/csum_offset to fix T
- CVE-2026-53253 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: reject short frames befor
- CVE-2026-53254 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in
- CVE-2026-53255 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV
- CVE-2026-53256 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in
- CVE-2026-53259 - In the Linux kernel, the following vulnerability has been resolved: ipv6: anycast: insert aca into global hash
- CVE-2026-53262 - In the Linux kernel, the following vulnerability has been resolved: l2tp: pppol2tp: hold reference to session
- CVE-2026-53264 - In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: use RCU with deferred
- CVE-2026-53265 - In the Linux kernel, the following vulnerability has been resolved: dm cache policy smq: check allocation unde
- CVE-2026-53266 - In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: make ebt_snat ARP rewri
- CVE-2026-53267 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: bail out on template ct
- CVE-2026-53268 - In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack_irc: fix possible out
- CVE-2026-53270 - In the Linux kernel, the following vulnerability has been resolved: ipvs: clear the svc scheduler ptr early on
- CVE-2026-53272 - In the Linux kernel, the following vulnerability has been resolved: erofs: fix use-after-free on sbi->sync_dec
- CVE-2026-53273 - In the Linux kernel, the following vulnerability has been resolved: tee: optee: prevent use-after-free when th
- CVE-2026-53275 - In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Fix use-after-free when proce
- CVE-2026-53276 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix a use-after-free of th
- CVE-2026-53277 - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Take the SRCU lock for page ta
- CVE-2026-53460 - ImageMagick: Policy Bypass can Trigger an Out-of-Memory condition
- CVE-2026-53461 - ImageMagick has out-of-bounds write in ICON decoder due to incorrect loop
- CVE-2026-54030 - LibreChat is an enhanced ChatGPT clone that supports multiple AI providers
- CVE-2026-54033 - LibreChat is an enhanced ChatGPT clone that supports multiple AI providers
- CVE-2026-54830 - Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions
- CVE-2026-54844 - Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions
- CVE-2026-55092 - Trivy OCI artifact title path traversal
- CVE-2026-55092 - Trivy OCI artifact title path traversal arbitrary write
- CVE-2026-55693 - Vim is an open source, command line text editor
- CVE-2026-55895 - Vim is an open source, command line text editor
- CVE-2026-55958 - Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer
- CVE-2026-55960 - Un-negotiated Raw Public Key (RFC 7250) accepted in place of an X.509 certificate, bypassing chain validation
- CVE-2026-55961 - wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer
- CVE-2026-55967 - AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly
- CVE-2026-56051 - Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions
- CVE-2026-56123 - socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malici
- CVE-2026-56766 - Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMT
- CVE-2026-56768 - Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowi
- CVE-2026-56769 - Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery v
- CVE-2026-56770 - libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS
- CVE-2026-57235 - Nokogiri is an open source XML and HTML library for the Ruby programming language
- CVE-2026-57236 - Nokogiri is an open source XML and HTML library for the Ruby programming language
- CVE-2026-57434 - Nokogiri is an open source XML and HTML library for the Ruby programming language
- CVE-2026-57435 - Nokogiri is an open source XML and HTML library for the Ruby programming language
- CVE-2026-57455 - Vim is an open source, command line text editor
- CVE-2026-57456 - Vim is an open source, command line text editor
- CVE-2026-57520 - Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custo
- CVE-2026-57589 - sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root
- CVE-2026-6325 - Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a
- CVE-2026-6331 - HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid duri
- CVE-2026-6679 - wolfSSL DTLS 1.3 ACK serialization heap overflow
- CVE-2026-6679 - wolfSSL DTLS 1.3 ACK serialization heap overflow
- CVE-2026-6731 - wolfSSL X.509 commonName name-constraint bypass
- CVE-2026-6731 - wolfSSL X.509 name-constraints common-name bypass
- CVE-2026-7511 - PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not co
- CVE-2026-7532 - iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined
- CVE-2026-8592 - OS Command Injection vulnerability in the process_string action of Rapid7 InsightConnect AWK Plugin on Linux a
- CVE-2026-8660 - OS Command Injection vulnerability in the ping action of Rapid7 InsightConnect Ping Plugin on Linux allows rem
- CVE-2026-8665 - OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows
- CVE-2026-8666 - OS Command Injection vulnerability in the traceroute action of Rapid7 InsightConnect Traceroute Plugin on Linu
- CVE-2026-8720 - wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, pr
- CVE-2026-9086 - A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manag
- CVE-2026-9099 - A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within th
- CVE-2026-9800 - A flaw was found in Keycloak Policy Enforcer
- CVE-2025-60467 - A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Proje
- CVE-2025-60474 - A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26
- CVE-2026-11877 - An unauthorized user can modify configuration through API calls that affects the OpenText Access Manager
- CVE-2026-11998 - A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource
- CVE-2026-13201 - A flaw was found in KubeVirt's safepath package used by virt-handler
- CVE-2026-2050 - GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-44017 - Docling simplifies document processing by parsing diverse formats and providing integrations with the generati
- CVE-2026-44020 - Docling simplifies document processing by parsing diverse formats and providing integrations with the generati
- CVE-2026-48507 - Snipe-IT bulk user lockout privilege escalation
- CVE-2026-49851 - Mistune is a Python Markdown parser with renderers and plugins
- CVE-2026-50189 - Appsmith is a platform to build admin panels, internal tools, and dashboards
- CVE-2026-52923 - In the Linux kernel, the following vulnerability has been resolved: ipc: limit next_id allocation to the valid
- CVE-2026-52943 - In the Linux kernel, the following vulnerability has been resolved: net: skbuff: fix missing zerocopy referenc
- CVE-2026-52945 - In the Linux kernel, the following vulnerability has been resolved: Revert wireguard: device: enable threaded
- CVE-2026-52950 - In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Re
- CVE-2026-52951 - In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: handle empty bo and UAF ra
- CVE-2026-52952 - In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_do
- CVE-2026-52956 - In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds acces
- CVE-2026-52969 - In the Linux kernel, the following vulnerability has been resolved: KVM: Reject wrapped offset in kvm_reset_di
- CVE-2026-52972 - In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Cap AEAD AD length to 0x8
- CVE-2026-52973 - In the Linux kernel, the following vulnerability has been resolved: futex: Drop CLONE_THREAD requirement for p
- CVE-2026-52976 - In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix error cleanup in xe_exec_queue
- CVE-2026-52987 - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drm_exec_fini() i
- CVE-2026-52991 - In the Linux kernel, the following vulnerability has been resolved: sched/psi: fix race between file release a
- CVE-2026-53000 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nat: use kfree_rcu to release o
- CVE-2026-53009 - In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_
- CVE-2026-53016 - In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - copy IV using skcipher ivsiz
- CVE-2026-53033 - In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Take state lock for af_unix
- CVE-2026-53059 - In the Linux kernel, the following vulnerability has been resolved: dm log: fix out-of-bounds write due to reg
- CVE-2026-53071 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Add missing chan lock in
- CVE-2026-53081 - In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce regsafe base id consistency f
- CVE-2026-53085 - In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_v
- CVE-2026-53090 - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ld_{abs,ind} failure path analysi
- CVE-2026-53091 - In the Linux kernel, the following vulnerability has been resolved: net: pull headers in qdisc_pkt_len_segs_in
- CVE-2026-53092 - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix linked reg delta tracking when sr
- CVE-2026-53130 - In the Linux kernel, the following vulnerability has been resolved: fs/omfs: reject s_sys_blocksize smaller th
- CVE-2026-54297 - Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters
- CVE-2026-54329 - Snipe-IT cross-tenant accessory injection
- CVE-2026-54904 - concurrent-ruby is a modern concurrency tools for Ruby
- CVE-2026-56270 - Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api
- CVE-2026-56351 - n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes
- CVE-2026-57281 - Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annota
- CVE-2026-9643 - The WP Meta SEO plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the REQU
- CVE-2023-54365 - Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handl
- CVE-2025-61018 - An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause
- CVE-2025-61020 - An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause
- CVE-2025-61023 - An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denia
- CVE-2025-61028 - An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Den
- CVE-2026-12112 - A flaw was found in the foreman-mcp-server
- CVE-2026-44726 - Deno is a JavaScript, TypeScript, and WebAssembly runtime
- CVE-2026-45732 - n8n is an open source workflow automation platform
- CVE-2026-49401 - Deno is a JavaScript, TypeScript, and WebAssembly runtime
- CVE-2026-49402 - Deno is a JavaScript, TypeScript, and WebAssembly runtime
- CVE-2026-49444 - n8n is an open source workflow automation platform
- CVE-2026-49465 - n8n is an open source workflow automation platform
- CVE-2026-50023 - yt-dlp is a command-line audio/video downloader
- CVE-2026-50193 - jackson-databind deeply nested JsonNode denial of service
- CVE-2026-50193 - jackson-databind JsonNode deep nesting denial of service
- CVE-2026-50574 - yt-dlp is a command-line audio/video downloader
- CVE-2026-52844 - Caddy is an extensible server platform that uses TLS by default
- CVE-2026-52845 - Caddy is an extensible server platform that uses TLS by default
- CVE-2026-53754 - Crawl4AI is an open-source LLM friendly web crawler & scraper
- CVE-2026-53755 - Crawl4AI is an open-source LLM friendly web crawler & scraper
- CVE-2026-54304 - n8n is an open source workflow automation platform
- CVE-2026-54308 - n8n is an open source workflow automation platform
- CVE-2026-54513 - jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Proce
- CVE-2026-54761 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2026-54762 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2025-66336 - Apache Doris MCP Server metadata SQL injection
- CVE-2025-66389 - GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a fi
- CVE-2026-11745 - Central Dogma Git mirror SSH host-key verification bypass
- CVE-2026-41045 - qSnapper polkit authentication TOCTOU bypass
- CVE-2026-41045 - qSnapper polkit TOCTOU authentication bypass
- CVE-2026-41046 - qSnapper configName path traversal
- CVE-2026-41046 - qSnapper configName path traversal privilege escalation
- CVE-2026-41048 - qSnapper method-level polkit authorization cache confusion
- CVE-2026-41048 - qSnapper polkit authorization cache cross-method bypass
- CVE-2026-41049 - qSnapper cross-user polkit authorization cache confusion
- CVE-2026-41049 - qSnapper polkit authorization cache cross-user bypass
- CVE-2026-41523 - vLLM is an inference and serving engine for large language models (LLMs)
- CVE-2026-42127 - The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticat
- CVE-2026-42129 - Grafana Loki datasource callResource traversal
- CVE-2026-44271 - Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special El
- CVE-2026-49241 - The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates
- CVE-2026-50168 - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript
- CVE-2026-50170 - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript
- CVE-2026-50178 - The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates
- CVE-2026-50269 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54099 - A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform
- CVE-2026-54100 - A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform
- CVE-2026-54268 - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript
- CVE-2026-54273 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54274 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54275 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54277 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54278 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54279 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54280 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2026-54293 - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting
- CVE-2026-55602 - http-proxy-middleware is node.js http-proxy middleware
- CVE-2026-56266 - Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md,
- CVE-2026-56425 - The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0
- CVE-2026-8858 - IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code ex
- CVE-2026-9029 - The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug
- CVE-2026-9072 - IBM WebSphere Application Server and IBM WebSphere Application Server Liberty - when using Intelligent Managem
- CVE-2025-71348 - picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_co
- CVE-2025-71357 - picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runc
- CVE-2025-71378 - picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowin
- CVE-2026-12773 - A weakness has been identified in BerriAI litellm up to 1.59.8
- CVE-2026-56340 - vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing
- CVE-2026-3195 - A flaw was found in QEMU. When reading input audio in the virtio-snd device input callback, the virtio_snd_pc
- CVE-2026-47645 - Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unautho
- CVE-2026-48715 - radvd is a router advertisement daemon for IPv6
- CVE-2026-50559 - Quarkus is a Java framework for building cloud-native applications
- CVE-2026-52910 - In the Linux kernel, the following vulnerability has been resolved: bpf: Free reuseport cBPF prog after RCU gr
- CVE-2026-53915 - In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
- CVE-2026-56208 - A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation
- CVE-2026-56209 - An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation
- CVE-2026-56210 - A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation
- CVE-2026-56211 - A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation
- CVE-2026-12505 - A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privil
- CVE-2026-43994 - Coturn is a free open source implementation of TURN and STUN Server
- CVE-2026-55203 - HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn st
- CVE-2026-8461 - An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, all
- CVE-2026-12151 - Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a mes
- CVE-2026-2467 - Heap-based Buffer Overflow vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variable
- CVE-2026-2674 - Out-of-bounds Write, Out-of-bounds Write, Out-of-bounds Write vulnerability in RTI Connext Professional (Queue
- CVE-2026-30799 - Missing Authentication for Critical Function vulnerability in RTI Connext Professional (Security Plugins) allo
- CVE-2026-30802 - Out-of-bounds Read vulnerability in RTI Connext Micro (Core Libraries) allows Overread Buffers.This issue affe
- CVE-2026-42055 - NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module
- CVE-2026-42530 - NGINX Open Source has a vulnerability in the ngx_http_v3_module module
- CVE-2026-47774 - Envoy is an open source edge and service proxy designed for cloud-native applications
- CVE-2026-48294 - Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin d
- CVE-2026-48779 - ws is an open source WebSocket client and server for Node.js
- CVE-2026-55200 - libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transpor
- CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool confusion
- CVE-2026-6734 - undici Socks5ProxyAgent cross-origin pool reuse
- CVE-2026-9697 - Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (sock
- CVE-2026-10649 - A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerabilit
- CVE-2026-12191 - openpilot pickle deserialization
- CVE-2026-12289 - Privilege escalation in the Graphics: WebRender component
- CVE-2026-12290 - Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firef
- CVE-2026-12291 - Use-after-free in the Networking: HTTP component
- CVE-2026-12292 - Incorrect boundary conditions in the Web Audio component
- CVE-2026-12326 - Memory safety bugs present in Firefox 151 and Thunderbird 151
- CVE-2026-12328 - Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and
- CVE-2026-12398 - A command injection vulnerability was found in galaxy_ng
- CVE-2026-46331 - In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading t
- CVE-2026-50656 - Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defend
- CVE-2026-6933 - Premmerce Dev Tools plugin creation RCE
- CVE-2026-8176 - LatePoint agent privilege escalation
- CVE-2026-8442 - WP Review Slider Pro arbitrary file deletion
- CVE-2026-8443 - WP Review Slider Pro stypes SQL injection
- CVE-2026-8444 - WP Review Slider Pro curselrevs SQL injection
- CVE-2026-11417 - aws-cdk-lib NodejsFunction bundling command injection
- CVE-2026-40987 - Spring Integration remote file sync arbitrary write
- CVE-2026-40994 - Spring WS BSP validation disabled by default
- CVE-2026-40998 - Spring WS XPath XXE via StreamSource and SAXSource
- CVE-2026-41003 - Spring Security generated form XSS
- CVE-2026-41842 - Spring versioned resource resolution DoS
- CVE-2026-41849 - Spring SpEL integer overflow DoS
- CVE-2026-41850 - Spring SpEL algorithmic DoS
- CVE-2026-48818 - Starlette StaticFiles UNC SSRF and NTLM leak
- CVE-2026-49853 - Tornado cross-origin redirect credential leak
- CVE-2026-50010 - Netty trust manager hostname verification bypass
- CVE-2026-52719 - An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad
- CVE-2026-52720 - A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client)
- CVE-2026-52722 - A signed integer overflow vulnerability was found in GStreamer's VMnc decoder
- CVE-2026-53705 - A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good
- CVE-2026-54271 - protobufjs-cli JSON descriptor code injection
- CVE-2026-54281 - Nest Fastify trailing-slash middleware bypass
- CVE-2026-6040 - A heap use-after-free existed when importing the blank-width characters of an ODF number format
- CVE-2026-8357 - LibreOffice Calc compiles cell formulas when opening a spreadsheet
- CVE-2026-9863 - Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for
- CVE-2026-42563 - Dulwich merge driver path command injection
- CVE-2026-44249 - Netty IPv6 subnet filter bypass
- CVE-2026-44250 - Netty Redis array depth denial of service
- CVE-2026-48109 - MessagePack LZ4 decompression denial of service
- CVE-2026-11769 - We have released version 5.24.0 of the Grafana Operator
- CVE-2026-48054 - OpenZeppelin Wizard generated test code injection
- CVE-2026-48068 - grpc-js malformed request server crash
- CVE-2026-48069 - grpc-js malformed compressed message crash
- CVE-2026-48146 - Budibase OAuth2 validation SSRF
- CVE-2026-48151 - Budibase webhook schema auth bypass
- CVE-2026-48152 - Budibase REST datasource auth exfiltration
- CVE-2026-49741 - TYPO3 form framework privilege escalation and SQL injection
- CVE-2026-53999 - Radius controller confused-deputy delete
- CVE-2026-54090 - File Browser shell metacharacter command injection
- CVE-2026-54228 - A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement meth
- CVE-2026-54229 - A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method
- CVE-2026-54230 - A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport
- GHSA-gv7w-rqvm-qjhr - esbuild Deno binary integrity RCE
- CVE-2026-12143 - form-data is a library for creating readable multipart/form-data streams
- CVE-2026-44168 - MariaDB server is a community developed fork of MySQL server
- CVE-2026-44893 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-44894 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-45169 - Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 e
- CVE-2026-45416 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-45830 - A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authen
- CVE-2026-45832 - All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the au
- CVE-2026-45833 - A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticat
- CVE-2026-46340 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-48006 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-48059 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-48163 - MariaDB server is a community developed fork of MySQL server
- CVE-2026-48165 - MariaDB server is a community developed fork of MySQL server
- CVE-2026-48748 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-50011 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-50085 - The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the
- CVE-2026-50632 - A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE)
- CVE-2026-50633 - A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for
- CVE-2026-53406 - Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before ve
- CVE-2026-53407 - Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and
- CVE-2025-48384 - Git submodule config quoting code execution
- CVE-2025-53967 - Framelink Figma MCP curl command injection
- CVE-2026-0723 - GitLab 2FA device response bypass
- CVE-2026-10142 - kafka-python frame length parser DoS
- CVE-2026-10143 - kafka-python SCRAM iteration count DoS
- CVE-2026-11774 - An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base)
- CVE-2026-11816 - Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities lo
- CVE-2026-41699 - Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL que
- CVE-2026-41700 - Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSock
- CVE-2026-41856 - The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve anno
- CVE-2026-42271 - LiteLLM MCP stdio command execution
- CVE-2026-44486 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44487 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44488 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44492 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44494 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44495 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44496 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44890 - Netty is a network application framework for development of protocol servers and clients
- CVE-2026-46519 - mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management
- CVE-2026-47162 - Vim is an open source, command line text editor
- CVE-2026-52860 - Vim is an open source, command line text editor
- CVE-2026-53738 - Copy & Delete Posts AJAX privilege escalation
- CVE-2026-5497 - vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to u
- CVE-2026-0270 - A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an u
- CVE-2026-0271 - A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices e
- CVE-2026-0272 - A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administra
- CVE-2026-0273 - A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrato
- CVE-2026-11837 - A local privilege escalation vulnerability was found in the ansible.posix authorized_key module
- CVE-2026-2049 - GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-24716 - A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions
- CVE-2026-24719 - A command injection vulnerability has been reported to affect several QNAP operating system versions
- CVE-2026-40993 - Spring Security JDBC SAML credential deserialization
- CVE-2026-40993 - Spring Security SAML credential BLOB deserialization RCE
- CVE-2026-41716 - Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cach
- CVE-2026-41717 - Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability
- CVE-2026-41728 - Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access fil
- CVE-2026-41731 - JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted package
- CVE-2026-46520 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-46522 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-46529 - Atril Document Viewer is the default document reader of the MATE desktop environment for Linux
- CVE-2026-46625 - JavaScript Cookie is a JavaScript API for handling cookies, client-side
- CVE-2026-49396 - Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
- CVE-2026-49759 - Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attac
- CVE-2026-53435 - In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserializ
- CVE-2026-6893 - A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by provid
- CVE-2025-71319 - image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanentl
- CVE-2026-40983 - In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of
- CVE-2026-40984 - In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of
- CVE-2026-41855 - In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and
- CVE-2026-42570 - Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficien
- CVE-2026-44895 - GitLab MCP Server SSE auth bypass
- CVE-2026-45447 - Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#
- CVE-2026-45490 - Improper authorization in .NET allows an authorized attacker to elevate privileges locally
- CVE-2026-45591 - Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a netwo
- CVE-2026-46323 - In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_r
- CVE-2026-46328 - In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers
- CVE-2026-47261 - wasmtime-wasi FilePerms WRITE bypass
- CVE-2026-47907 - Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that co
- CVE-2026-47931 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability tha
- CVE-2026-47937 - Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Ele
- CVE-2026-5068 - A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP
- CVE-2026-11577 - A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in
- CVE-2026-26329 - OpenClaw browser upload file read
- CVE-2026-26422 - clash-verge-service-ipc world-reachable IPC LPE
- CVE-2026-27905 - BentoML tar symlink arbitrary write
- CVE-2026-3238 - A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller
- CVE-2026-34070 - LangChain load_prompt path traversal
- CVE-2026-34077 - React Router Single Fetch serialization DoS
- CVE-2026-34355 - A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted
- CVE-2026-42536 - Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted
- CVE-2026-44023 - Docling Core remote filename SSRF
- CVE-2026-44185 - Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP
- CVE-2026-44210 - Kata virtiofsd annotation VM escape
- CVE-2026-44974 - @hapi/content parameter smuggling upload-filter bypass
- CVE-2026-45063 - Symfony X509Authenticator DN identity spoofing
- CVE-2026-46279 - In the Linux kernel, the following vulnerability has been resolved: mm/alloc_tag: clear codetag for pages allo
- CVE-2026-46281 - In the Linux kernel, the following vulnerability has been resolved: vmalloc: fix buffer overflow in vrealloc_n
- CVE-2026-46285 - In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_re
- CVE-2026-46293 - In the Linux kernel, the following vulnerability has been resolved: clk: microchip: mpfs-ccc: fix out of bound
- CVE-2026-46294 - In the Linux kernel, the following vulnerability has been resolved: dm: fix a buffer overflow in ioctl process
- CVE-2026-46301 - In the Linux kernel, the following vulnerability has been resolved: spi: topcliff-pch: fix use-after-free on u
- CVE-2026-46308 - In the Linux kernel, the following vulnerability has been resolved: pmdomain: mediatek: fix use-after-free in
- CVE-2026-46309 - In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject coh_none PAT index for
- CVE-2026-47412 - PraisonAI Platform workspace delete RBAC bypass
- CVE-2026-47418 - PraisonAI Platform project IDOR
- CVE-2026-47691 - Netty DNS bailiwick cache poisoning
- CVE-2026-49975 - Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of
- CVE-2026-6321 - fast-uri encoded path traversal
- CVE-2026-10796 - nvm mirror version command injection
- CVE-2026-23869 - React Server Components DoS
- CVE-2026-24425 - Twig SourcePolicyInterface callback bypass
- CVE-2026-27893 - vLLM trust_remote_code bypass
- CVE-2026-33245 - React Router RSC redirect XSS
- CVE-2026-41236 - Froxlor SSH key symlink root access
- CVE-2026-41680 - marked tokenizer OOM denial of service
- CVE-2026-44420 - FreeRDP cliprdr server heap overflow
- CVE-2026-45505 - Apache ActiveMQ Jolokia discovery wrapper bypass
- CVE-2026-46640 - Twig macro-reference compilation RCE
- CVE-2026-47214 - Docling HTML backend URI and path handling
- CVE-2026-47397 - PraisonAI arbitrary file write
- CVE-2026-47732 - Twig toString sandbox bypass
- CVE-2026-47743 - Shopper admin Livewire integrity and disclosure flaws
- CVE-2026-47759 - TinyMCE data-mce attribute XSS
- CVE-2026-47760 - TinyMCE nested SVG sanitizer XSS
- CVE-2026-47761 - TinyMCE media data-mce-object XSS
- CVE-2026-47762 - TinyMCE mce:protected comment XSS
- CVE-2026-48169 - PraisonAI Platform cross-workspace IDOR
- CVE-2026-49143 - browserstack-runner log handler RCE
- GHSA-63gr-g7jc-v8rg - AgenticMail MCP HTTP auth bypass
- GHSA-hf2g-6j7h-98wg - Klever-Go direct-message goroutine DoS
- GHSA-rm5c-5x2p-48wr - Klever-Go P2P nil RawData DoS
- GHSA-w4c6-7r69-w7j9 - Klever-Go REST API slow-header DoS
- GHSA-wx3m-whqv-xv47 - skillctl path and symlink traversal
- CVE-2026-41010 - BOSH Director release job command injection
- CVE-2026-42211 - React Router Framework Mode deserialization RCE
- CVE-2026-42342 - React Router __manifest path-expansion DoS
- CVE-2026-47423 - DOMPurify selectedcontent re-clone XSS
- CVE-2026-48017 - DbGate loadReader functionName RCE
- CVE-2026-48119 - Nezha service-monitor result forgery
- CVE-2026-48501 - GitHub CLI TUF token leakage
- CVE-2026-11332 - A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications
- CVE-2026-21035 - Improper input validation in Samsung Plus TV prior to version 1.0.28.6 allows remote attackers to access sensi
- CVE-2026-21037 - Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitr
- CVE-2026-41567 - Moby is an open source container framework
- CVE-2026-47684 - Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
- CVE-2026-50256 - A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland
- CVE-2026-50257 - A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence()
- CVE-2026-50258 - A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland
- CVE-2026-50259 - A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland
- CVE-2026-50260 - A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter()
- CVE-2026-50261 - A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter()
- CVE-2026-50264 - An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFor
- CVE-2025-12694 - A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrat
- CVE-2026-10840 - A flaw was found in the OpenShift Pipelines operator
- CVE-2026-10843 - A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS
- CVE-2026-44393 - An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0
- CVE-2026-22054 - Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attac
- CVE-2026-22055 - Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker
- CVE-2026-4035 - A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables i
- CVE-2026-46246 - In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-f
- CVE-2026-46250 - In the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used
- CVE-2026-46251 - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list cor
- CVE-2026-46253 - In the Linux kernel, the following vulnerability has been resolved: pstore/ram: fix buffer overflow in persist
- CVE-2026-46259 - In the Linux kernel, the following vulnerability has been resolved: procfs: fix missing RCU protection when re
- CVE-2026-46260 - In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bound access in fib6_add_
- CVE-2026-46265 - In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix WQ_MEM_RECLAIM warning When
- CVE-2026-46267 - In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work befo
- CVE-2026-46270 - In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free
- CVE-2026-6657 - A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin vali
- CVE-2026-10701 - Incorrect boundary conditions in the Graphics: Text component
- CVE-2026-1784 - The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy
- CVE-2026-3514 - Prefect has an Authentication Middleware Bypass when URL paths are appended with 'health' or 'ready'
- CVE-2026-42504 - Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU
- CVE-2019-25718 - Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out
- CVE-2024-52011 - launch-editor allows users to open files with line numbers in editor from Node.js
- CVE-2025-70099 - A NULL pointer dereference in the ext4_dir_en_get_name_len function in include/ext4_dir.h of lwext4 1.0.0 allo
- CVE-2026-10118 - A flaw was found in Poppler's Splash backend
- CVE-2026-35563 - Apache Directory LDAP API lacks server certificate verification for LDAP hostnames
- CVE-2026-40961 - Apache Airflow: Authenticated users can bypass the is_safe_url check
- CVE-2026-41084 - Apache Airflow Vulnerable to Authorization Bypass Through User-Controlled Key
- CVE-2026-42359 - Apache Airflow has a Deserialization of Untrusted Data vulnerability
- CVE-2026-42588 - Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ have a Code Injection issue
- CVE-2026-43958 - A flaw was found in rrdcached, a component of rrdtool
- CVE-2026-44825 - Apache Solr has hardcoded credentials in the Basic Authentication setup tool
- CVE-2026-45360 - Apache Airflow Vulnerable to Deserialization of Untrusted Data
- CVE-2026-46243 - In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego
- CVE-2026-48827 - Apache MINA SSHD bundle sshd-git has a path traversal vulnerability
- CVE-2026-49121 - AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerabili
- CVE-2026-49157 - Apache ActiveMQ has an Incorrect Default Permissions vulnerability
- CVE-2026-49298 - Apache Airflow: Execution API JWT leaked via KubernetesExecutor worker command-line args
- CVE-2026-49361 - Apache Fluss: Unauthenticated remote attackers can exhaust JVM heap memory using crafted frame headers via TabletServer/
- CVE-2026-41237 - Froxlor has an incomplete fix for CVE-2026-30932
- CVE-2026-42965 - A flaw was found in the OpenShift Router
- CVE-2026-44421 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-44422 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-46384 - iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled
- CVE-2026-46385 - iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attac
- CVE-2026-46579 - A flaw was found in the OpenShift Router
- CVE-2026-46116 - In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrm_state lists
- CVE-2026-46117 - In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON
- CVE-2026-46125 - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connecti
- CVE-2026-46145 - In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashik
- CVE-2026-46152 - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from f
- CVE-2026-46166 - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in
- CVE-2026-46176 - In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in
- CVE-2026-46181 - In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_
- CVE-2026-46189 - In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma
- CVE-2026-46215 - In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime s
- CVE-2026-46227 - In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_se
- CVE-2026-48526 - PyJWT is a JSON Web Token implementation in Python
- CVE-2026-5394 - Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
- CVE-2026-9795 - A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature
- CVE-2026-9804 - A flaw was found in KubeVirt's virt-exportserver component
- CVE-2025-71306 - In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_cr
- CVE-2026-1933 - A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes
- CVE-2026-3012 - A flaw was found in Samba’s certificate auto-enrollment Group Policy handling
- CVE-2026-42790 - Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) al
- CVE-2026-44724 - systeminformation is a System and OS information library for node.js
- CVE-2026-44739 - Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration
- CVE-2026-44741 - Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parame
- CVE-2026-45162 - Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
- CVE-2026-45260 - Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
- CVE-2026-45357 - LiquidJS has a memory and render limit bypass via unbounded width padding in date filter (strftime)
- CVE-2026-45617 - LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in strip_html Filter Regex
- CVE-2026-45704 - Pimcore has a CustomReports Share Bypass
- CVE-2026-45837 - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close
- CVE-2026-45839 - In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indice
- CVE-2026-45851 - In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of unaccepted memory
- CVE-2026-45852 - In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_
- CVE-2026-45853 - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Use kvfree instead of kfree in
- CVE-2026-45856 - In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before usin
- CVE-2026-45859 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unco
- CVE-2026-45860 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: increase the conn
- CVE-2026-45861 - In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Co
- CVE-2026-45862 - In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush cache for PASID table be
- CVE-2026-45866 - In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caif_s
- CVE-2026-45867 - In the Linux kernel, the following vulnerability has been resolved: power: supply: act8945a: Fix use-after-fre
- CVE-2026-45878 - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id bounds checking i
- CVE-2026-45879 - In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25980: Fix use-after-free
- CVE-2026-45882 - In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_bms_vm: Fix use-afte
- CVE-2026-45885 - In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-battery: Fix use-afte
- CVE-2026-45891 - In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx sp
- CVE-2026-45893 - In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix & Optimize table creation fr
- CVE-2026-45896 - In the Linux kernel, the following vulnerability has been resolved: mtd: intel-dg: Fix accessing regions befor
- CVE-2026-45902 - In the Linux kernel, the following vulnerability has been resolved: power: supply: bq256xx: Fix use-after-free
- CVE-2026-45910 - In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race condition in QP timer h
- CVE-2026-45914 - In the Linux kernel, the following vulnerability has been resolved: Revert hwmon: (ibmpex) fix use-after-free
- CVE-2026-45916 - In the Linux kernel, the following vulnerability has been resolved: power: supply: sbs-battery: Fix use-after-
- CVE-2026-45935 - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in D
- CVE-2026-45936 - In the Linux kernel, the following vulnerability has been resolved: power: supply: goldfish: Fix use-after-fre
- CVE-2026-45938 - In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-f
- CVE-2026-45946 - In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free
- CVE-2026-45957 - In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to
- CVE-2026-45970 - In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv duri
- CVE-2026-45984 - In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline d
- CVE-2026-45998 - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare
- CVE-2026-46033 - In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject short ahash di
- CVE-2026-46054 - In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect
- CVE-2026-46090 - In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during f
- CVE-2026-46094 - In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in check_xattrs() t
- CVE-2026-46097 - In the Linux kernel, the following vulnerability has been resolved: Input: edt-ft5x06 - fix use-after-free in
- CVE-2026-46099 - In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and r
- CVE-2026-48962 - IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-con
- CVE-2026-49014 - GDAL: scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow
- CVE-2026-49017 - OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body
- CVE-2026-9312 - A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an
- CVE-2026-3473 - Mattermost doesn't validate file ownership and access control
- CVE-2026-3515 - Prefect has an Argument Injection issue
- CVE-2026-40033 - FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote a
- CVE-2026-42012 - A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially craft
- CVE-2026-42013 - A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could ca
- CVE-2026-42089 - yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
- CVE-2026-42782 - Apache Syncope has an Improper Isolation or Compartmentalization vulnerability
- CVE-2026-4372 - HuggingFace transformers vulnerable to remote code execution
- CVE-2026-44209 - Banks generates meaningful LLM prompts using a template language that makes sense
- CVE-2026-44417 - Apache CXF: Untrusted JMS configuration can lead to RCE
- CVE-2026-45361 - Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default
- CVE-2026-48864 - A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled
- CVE-2026-5260 - A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA
- CVE-2026-5308 - Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
- CVE-2026-5740 - Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
- CVE-2026-43503 - In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker
- CVE-2026-46300 - In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker d
- CVE-2026-46717 - Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
- CVE-2026-9256 - NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module
- CVE-2026-9277 - shell-quote's quote() function did not validate object-token inputs against the operator model used by pars
- CVE-2026-43494 - In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page
- CVE-2026-43499 - In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of curre
- CVE-2026-47101 - LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that t
- CVE-2026-47102 - LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint
- CVE-2026-48989 - Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
- CVE-2026-29518 - Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file hand
- CVE-2026-3039 - BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessi
- CVE-2026-3593 - A use-after-free vulnerability exists within the DNS-over-HTTPS implementation
- CVE-2026-41292 - NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related
- CVE-2026-42944 - NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow
- CVE-2026-42959 - NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC vali
- CVE-2026-43618 - Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where
- CVE-2026-47783 - In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel
- CVE-2026-5946 - Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Inte
- CVE-2026-5947 - Undefined behavior may result due to a race condition leading to a use-after-free violation
- CVE-2026-8632 - A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software
- CVE-2026-9064 - A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enfor
- CVE-2025-51427 - An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module l
- CVE-2026-27173 - JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only acce
- CVE-2026-32740 - libheif is a HEIF and AVIF file format decoder and encoder
- CVE-2026-32741 - libheif is a HEIF and AVIF file format decoder and encoder
- CVE-2026-32882 - libheif is a HEIF and AVIF file format decoder and encoder
- CVE-2026-46373 - SQLFluff: Recursive Stack Overflow in Parser
- CVE-2026-46374 - SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
- CVE-2026-6009 - Jaspersoft Reports: Java Deserialization Vulnerability Lleads to Remote Code Execution (RCE)
- CVE-2026-7307 - A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the
- CVE-2026-7504 - A flaw was found in Keycloak's URL validation logic during redirect operations
- CVE-2026-7507 - A session fixation vulnerability was found in Keycloak's login-actions endpoints
- CVE-2026-8727 - TYPO3 Remote Code Execution in extension Site Crawler (crawler)
- CVE-2026-8827 - TYPO3 SQL Injection in extension Address List (tt_address)
- CVE-2026-8945 - Sandbox escape in Firefox and Firefox Focus for Android
- CVE-2026-8946 - Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-8947 - Use-after-free in the DOM: Bindings (WebIDL) component
- CVE-2026-8973 - Memory safety bugs present in Firefox 150
- CVE-2026-8975 - Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150
- CVE-2026-42009 - A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security
- CVE-2025-54518 - Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an a
- CVE-2026-34253 - A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package
- CVE-2026-38728 - smtp-server's command parser memory exhaustion denial-of-service
- CVE-2026-45395 - Open WebUI tool update authorization RCE
- CVE-2026-46333 - In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' lo
- CVE-2026-20224 - A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauth
- CVE-2026-44216 - Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic
- CVE-2026-44673 - libyang is a YANG data modeling language library
- CVE-2026-46477 - FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
- CVE-2026-46478 - FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
- CVE-2026-46479 - FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
- CVE-2026-6473 - Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the se
- CVE-2026-6477 - Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(
- GHSA-m99r-2hxc-cp3q - Flowise MCP security bypass RCE
- CVE-2026-20916 - An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisc
- CVE-2026-32643 - A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at
- CVE-2026-32673 - A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource
- CVE-2026-33376 - When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses
- CVE-2026-33377 - An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard
- CVE-2026-34176 - When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclos
- CVE-2026-36741 - U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection
- CVE-2026-39455 - When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authen
- CVE-2026-39458 - When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can ca
- CVE-2026-39459 - A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated att
- CVE-2026-40060 - When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can
- CVE-2026-40061 - When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (
- CVE-2026-40067 - When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd proc
- CVE-2026-40423 - When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Mic
- CVE-2026-40618 - When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist
- CVE-2026-40629 - When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop
- CVE-2026-40631 - An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objec
- CVE-2026-40698 - A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at
- CVE-2026-42266 - JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Noteb
- CVE-2026-42561 - Python-Multipart is a streaming multipart parser for Python
- CVE-2026-42578 - Netty is an asynchronous, event-driven network application framework
- CVE-2026-42579 - Netty is an asynchronous, event-driven network application framework
- CVE-2026-42584 - Netty is an asynchronous, event-driven network application framework
- CVE-2026-42587 - Netty is an asynchronous, event-driven network application framework
- CVE-2026-43998 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44001 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44004 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44289 - protobufjs compiles protobuf definitions into JavaScript (JS) functions
- CVE-2026-44293 - protobufjs compiles protobuf definitions into JavaScript (JS) functions
- CVE-2026-44432 - urllib3 is an HTTP client library for Python
- CVE-2026-44573 - Next.js is a React framework for building full-stack web applications
- CVE-2026-44574 - Next.js is a React framework for building full-stack web applications
- CVE-2026-44578 - Next.js is a React framework for building full-stack web applications
- CVE-2026-44579 - Next.js is a React framework for building full-stack web applications
- CVE-2026-5773 - libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers
- CVE-2025-40947 - A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (
- CVE-2026-22925 - A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0)
- CVE-2026-27851 - When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly i
- CVE-2026-32177 - Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally
- CVE-2026-35433 - Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally
- CVE-2026-42595 - Gotenberg Chromium URL SSRF
- CVE-2026-42899 - Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny
- CVE-2026-44339 - PraisonAI unsafe tool resolution
- CVE-2026-44340 - PraisonAI recipe symlink extraction escape
- CVE-2026-44411 - A vulnerability has been identified in Solid Edge SE2026 (All versions < V226.0 Update 5)
- CVE-2026-8389 - JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-8390 - Use-after-free in the JavaScript: WebAssembly component
- GHSA-6xcp-7mpr-m7wm - Open WebUI CORS and session RCE chain
- CVE-2026-2614 - A vulnerability in the _create_model_version() handler of mlflow/server/handlers.py in mlflow/mlflow versi
- CVE-2026-28847 - The issue was addressed with improved memory handling
- CVE-2026-28883 - A use-after-free issue was addressed with improved memory management
- CVE-2026-28904 - The issue was addressed with improved memory handling
- CVE-2026-28905 - The issue was addressed with improved memory handling
- CVE-2026-28947 - A use-after-free issue was addressed with improved memory management
- CVE-2026-28953 - The issue was addressed with improved memory handling
- CVE-2026-28955 - The issue was addressed with improved memory handling
- CVE-2026-31253 - flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism
- CVE-2026-43500 - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets
- CVE-2026-43658 - The issue was addressed with improved memory handling
- CVE-2026-45033 - GitHub Copilot CLI nested bare repo RCE
- CVE-2026-4802 - A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command executio
- CVE-2026-4890 - A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a
- CVE-2026-4892 - A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers
- CVE-2026-5172 - A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds
- CVE-2026-6433 - The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in
- CVE-2026-7210 - xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, w
- CVE-2026-39852 - Quarkus matrix-parameter authorization bypass
- CVE-2026-44513 - Diffusers trust_remote_code bypass
- CVE-2026-45109 - Next.js segment-prefetch middleware bypass
- CVE-2026-7262 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a
- CVE-2026-7263 - In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data in
- CVE-2026-7568 - In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the met
- CVE-2026-8177 - XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names contai
- CVE-2026-41163 - bubblewrap is a low-level unprivileged sandboxing tool
- CVE-2026-42246 - Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby
- CVE-2026-42294 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-42296 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-42297 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-41247 - elFinder ImageMagick bg command injection
- CVE-2026-41490 - Dagster dynamic partition SQL injection
- CVE-2026-42203 - LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format
- CVE-2026-42264 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-42274 - Heimdall policy interpretation bypass cluster
- CVE-2026-43284 - In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on share
- CVE-2026-43291 - In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation fo
- CVE-2026-43296 - In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Workaround SQM/PSE stalls by
- CVE-2026-43329 - In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for m
- CVE-2026-43456 - In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_
- GHSA-xmxx/GHSA-mr34/GHSA-2gvc - OpenClaw gateway boundary hardening
- CVE-2026-33811 - When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C me
- CVE-2026-33814 - When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames i
- CVE-2026-39820 - Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU
- CVE-2026-40981 - When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request
- CVE-2026-41139 - Math.js is an extensive math library for JavaScript and Node.js
- CVE-2026-41142 - OpenEXR provides the specification and reference implementation of the EXR file format, an image storage forma
- CVE-2026-41672 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-41673 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-41674 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-41675 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-42010 - A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfull
- CVE-2026-42011 - A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly igno
- CVE-2026-42499 - Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322
- CVE-2026-42582 - Netty HTTP/3 QPACK literal unbounded allocation
- CVE-2026-8090 - Use-after-free in the DOM: Networking component
- CVE-2026-8092 - Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1
- CVE-2026-8093 - Memory safety bugs present in Firefox 150.0.1
- CVE-2025-71261 - Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
- CVE-2026-20167 - A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authe
- CVE-2026-33079 - In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerab
- CVE-2026-43078 - In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix page reassignment ove
- CVE-2026-43112 - In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in c
- CVE-2026-43128 - In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in fai
- CVE-2026-43133 - In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMS
- CVE-2026-43134 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix missing key size che
- CVE-2026-43139 - In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_ge
- CVE-2026-43141 - In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bo
- CVE-2026-43150 - In the Linux kernel, the following vulnerability has been resolved: perf/arm-cmn: Reject unsupported hardware
- CVE-2026-43153 - In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The call
- CVE-2026-43158 - In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding x
- CVE-2026-43178 - In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput() in do_
- CVE-2026-43180 - In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipula
- CVE-2026-43184 - In the Linux kernel, the following vulnerability has been resolved: rnbd-srv: Zero the rsp buffer before using
- CVE-2026-43187 - In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when
- CVE-2026-43190 - In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining leng
- CVE-2026-43194 - In the Linux kernel, the following vulnerability has been resolved: net: consume xmit errors of GSO frames udp
- CVE-2026-43196 - In the Linux kernel, the following vulnerability has been resolved: soc: ti: pruss: Fix double free in pruss_c
- CVE-2026-43199 - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix scheduling while atomic i
- CVE-2026-43203 - In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in taskl
- CVE-2026-43205 - In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent
- CVE-2026-43206 - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd
- CVE-2026-43207 - In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in prob
- CVE-2026-43211 - In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling
- CVE-2026-43212 - In the Linux kernel, the following vulnerability has been resolved: LoongArch: Make cpumask_of_node() robust a
- CVE-2026-43214 - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading
- CVE-2026-43215 - In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We
- CVE-2026-43222 - In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: AV1: Fix tile info buf
- CVE-2026-43226 - In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR
- CVE-2026-43230 - In the Linux kernel, the following vulnerability has been resolved: net/rds: Clear reconnect pending bit When
- CVE-2026-43232 - In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs
- CVE-2026-43233 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read
- CVE-2026-43236 - In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix use-after-free of drm
- CVE-2026-43239 - In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_inte
- CVE-2026-43241 - In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix array-index-out
- CVE-2026-43248 - In the Linux kernel, the following vulnerability has been resolved: vhost: move vdpa group bound check to vhos
- CVE-2026-43249 - In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free agains
- CVE-2026-43250 - In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup
- CVE-2026-43253 - In the Linux kernel, the following vulnerability has been resolved: iommu/amd: move wait_on_sem() out of spinl
- CVE-2026-43256 - In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds
- CVE-2026-43258 - In the Linux kernel, the following vulnerability has been resolved: alpha: fix user-space corruption during me
- CVE-2026-43278 - In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when
- CVE-2026-43279 - In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB
- CVE-2026-43283 - In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_cohere
- CVE-2026-44241 - Micronaut has unbounded formattersCache in TimeConverterRegistrar that Allows Memory Exhaustion via Accept-Language Head
- CVE-2026-46689 - scim_proto and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion
- CVE-2026-23479 - Redis is an in-memory data structure store
- CVE-2026-23631 - Redis is an in-memory data structure store
- CVE-2026-25243 - Redis is an in-memory data structure store
- CVE-2026-35397 - Jupyter Server is the backend for Jupyter web applications
- CVE-2026-40034 - gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execu
- CVE-2026-40110 - Jupyter Server is the backend for Jupyter web applications
- CVE-2026-42997 - An issue was discovered in idrac in OpenStack Ironic before 35.0.1
- CVE-2026-43869 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift
- CVE-2026-6322 - fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitte
- CVE-2026-6918 - In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a
- CVE-2026-7482 - Ollama GGUF memory disclosure
- CVE-2025-70069 - An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and
- CVE-2026-23918 - Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol
- CVE-2026-24082 - Memory Corruption when copying data from a freed source while executing performance counter deselect operation
- CVE-2026-29004 - BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS
- CVE-2026-33846 - A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS
- CVE-2026-37459 - An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Servi
- CVE-2026-42151 - Prometheus is an open-source monitoring system and time series database
- CVE-2026-42154 - Prometheus is an open-source monitoring system and time series database
- CVE-2026-42440 - OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected:
- CVE-2026-5063 - NEX-Forms POST key stored XSS
- CVE-2026-6266 - A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links a
- CVE-2026-41485 - Kyverno forEach mutation panic DoS
- CVE-2026-41520 - Cilium bugtool WireGuard private key disclosure
- CVE-2026-42349 - Clerk combined authorization bypass
- GHSA-rh99-wc69-c255 - Contrast CopyFile policy symlink subversion
- CVE-2026-39383 - Gotenberg webhook SSRF
- CVE-2026-39804 - Bandit permessage-deflate decompression DoS
- CVE-2026-39858 - Traefik forwarded alias auth bypass
- CVE-2026-40171 - Jupyter CommandLinker token theft
- CVE-2026-42449 - n8n-mcp IPv4-mapped IPv6 SSRF
- CVE-2026-42461 - Arcane Compose template secret disclosure
- CVE-2026-42786 - Bandit WebSocket fragment reassembly DoS
- CVE-2026-7039 - ssh-mcp description command injection
- GHSA-74m3 - zrok WebDAV DriveRoot symlink escape
- GHSA-rpm5/GHSA-x2qx - GitPython command injection
- CVE-2026-31703 - In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_swi
- CVE-2026-31709 - In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL befor
- CVE-2026-37457 - An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_ut
- CVE-2026-43001 - An issue was discovered in OpenStack Keystone before 29.0.2
- CVE-2026-43003 - An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0
- CVE-2026-43033 - In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - Do not place hiseq at
- CVE-2026-5403 - SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code exe
- CVE-2026-5405 - RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and poss
- CVE-2026-5656 - Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and pos
- CVE-2026-7598 - A security vulnerability has been detected in libssh2 up to 1.11.1
- CVE-2025-14576 - Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loadi
- CVE-2026-31693 - In the Linux kernel, the following vulnerability has been resolved: cifs: some missing initializations on repl
- CVE-2026-33845 - A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leadi
- CVE-2026-5402 - TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code ex
- CVE-2026-7246 - Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() functio
- CVE-2026-37555 - An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec
- CVE-2026-42198 - pgjdbc is an open source postgresql JDBC Driver
- CVE-2024-54013 - Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web
- CVE-2025-48431 - Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings
- CVE-2026-41602 - Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This
- CVE-2026-41603 - Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift
- CVE-2026-41604 - Out-of-bounds Read vulnerability in Apache Thrift
- CVE-2026-41605 - Integer Overflow or Wraparound vulnerability in Apache Thrift
- CVE-2026-7320 - Information disclosure due to incorrect boundary conditions in the Audio/Video component
- CVE-2026-7322 - Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0
- CVE-2026-7323 - Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0
- CVE-2026-7324 - Memory safety bugs present in Thunderbird 150.0.0
- CVE-2026-27172 - The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and i
- CVE-2026-3006 - Successful exploitation of the race condition vulnerability could allow an attacker to trigger a kernel heap o
- CVE-2026-40022 - When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-p
- CVE-2026-40048 - The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of <keyId>.key files in the confi
- CVE-2026-40473 - The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io
- CVE-2026-40858 - The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a
- CVE-2026-6785 - Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Th
- CVE-2026-6786 - Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149
- CVE-2026-21728 - Tempo queries with large limits can cause large memory allocations which can impact the availability of the se
- CVE-2026-31641 - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix RxGK token loading to check bou
- CVE-2026-31663 - In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_f
- CVE-2026-40466 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache A
- CVE-2026-40897 - Math.js is an extensive math library for JavaScript and Node.js
- CVE-2026-41044 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache A
- CVE-2026-41140 - Poetry is a dependency manager for Python
- CVE-2026-41316 - ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an
- CVE-2026-42033 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-42039 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-42043 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-5367 - A flaw was found in OVN (Open Virtual Network)
- CVE-2026-33999 - A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatib
- CVE-2026-34001 - A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering
- CVE-2026-34003 - A flaw was found in the X.Org X server's XKB key types request validation
- CVE-2026-40886 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-41246 - Contour is a Kubernetes ingress controller using Envoy proxy
- CVE-2026-22754 - Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path=/servlet-path
- CVE-2026-31431 - In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating o
- CVE-2026-31474 - In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in i
- CVE-2026-31488 - In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mod
- CVE-2026-31504 - In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() vi
- CVE-2026-40542 - Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to acc
- CVE-2026-6846 - A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted
- CVE-2026-6857 - A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream re
- CVE-2026-6859 - A flaw was found in InstructLab. The linux_train.py script hardcodes trust_remote_code=True when loading m
- CVE-2026-22016 - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Orac
- CVE-2026-34282 - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Orac
- CVE-2026-40244 - OpenEXR provides the specification and reference implementation of the EXR file format, an image storage forma
- CVE-2026-40611 - Let's Encrypt client and ACME library written in Go (Lego)
- CVE-2026-40895 - follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatical
- CVE-2026-40938 - Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines
- CVE-2026-6746 - Use-after-free in the DOM: Core & HTML component
- CVE-2026-6747 - Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thund
- CVE-2026-6749 - Information disclosure due to uninitialized memory in the Graphics: Canvas2D component
- CVE-2026-6750 - Privilege escalation in the Graphics: WebRender component
- CVE-2026-6751 - Uninitialized memory in the Audio/Video: Web Codecs component
- CVE-2026-6752 - Incorrect boundary conditions in the WebRTC component
- CVE-2026-6753 - Incorrect boundary conditions in the WebRTC component
- CVE-2026-6754 - Use-after-free in the JavaScript Engine component
- CVE-2026-6784 - Memory safety bugs present in Firefox 149 and Thunderbird 149
- CVE-2026-3605 - An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secr
- CVE-2026-40066 - Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded
- CVE-2026-4525 - If a Vault auth mount is configured to pass through the Authorization header, and the Authorization header
- CVE-2026-5807 - Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate
- CVE-2025-54502 - Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privilege
- CVE-2026-35469 - spdystream is a Go library for multiplexing streams over SPDY connections
- CVE-2026-40170 - ngtcp2 is a C implementation of the IETF QUIC protocol
- CVE-2026-41035 - In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading t
- CVE-2026-41082 - In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent d
- CVE-2026-33805 - @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Conne
- CVE-2026-33806 - Impact: Fastify applications using schema.body.content for per-content-type body validation can have validatio
- CVE-2026-34632 - Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have re
- CVE-2026-3505 - Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legio
- CVE-2026-40176 - Composer is a dependency manager for PHP
- CVE-2026-40192 - Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed
- CVE-2026-40261 - Composer is a dependency manager for PHP
- CVE-2026-5588 - Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc
- CVE-2026-5598 - Covert timing channel vulnerability in Legion of the Bouncy Castle Inc
- CVE-2026-6384 - A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's ReadJeffsIm
- CVE-2026-2332 - In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, simil
- CVE-2026-23666 - Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network
- CVE-2026-26171 - Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network
- CVE-2026-32178 - Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a
- CVE-2026-32203 - Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a n
- CVE-2026-33414 - Podman is a tool for managing OCI containers and pods
- CVE-2026-40164 - jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHas
- CVE-2026-0233 - A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows
- CVE-2026-1462 - A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled Te
- CVE-2026-28291 - simple-git enables running native Git commands from JavaScript
- CVE-2026-31419 - In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_x
- CVE-2026-33901 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-33908 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-4786 - Mitgation of CVE-2026-4519 was incomplete
- CVE-2026-5936 - An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate
- CVE-2026-6100 - Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile w
- CVE-2019-25695 - R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by inje
- CVE-2026-32146 - Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary f
- CVE-2026-4150 - GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-4151 - GIMP ANI File Parsing Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-4152 - GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-4153 - GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-4154 - GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-34481 - Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in v
- CVE-2026-39304 - Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache Ac
- CVE-2026-40217 - LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /gu
- CVE-2026-5483 - A flaw was found in odh-dashboard in Red Hat Openshift AI
- CVE-2025-13914 - A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstr
- CVE-2026-1584 - A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a spe
- CVE-2026-29146 - Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration
- CVE-2026-33771 - A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS migh
- CVE-2026-34486 - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing
- CVE-2026-34734 - HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump hel
- CVE-2026-34971 - Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift
- CVE-2026-35204 - Helm is a package manager for Charts for Kubernetes
- CVE-2026-35205 - Helm is a package manager for Charts for Kubernetes
- CVE-2026-39983 - basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequen
- CVE-2026-4660 - HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain gi
- CVE-2026-27140 - SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code exe
- CVE-2026-27806 - Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
- CVE-2026-32280 - During chain building, the amount of work that is done is not correctly limited when a large number of interme
- CVE-2026-32283 - If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the co
- CVE-2026-32589 - A flaw was found in Red Hat Quay's container image upload process
- CVE-2026-32590 - A flaw was found in Red Hat Quay's handling of resumable container image layer uploads
- CVE-2026-33810 - When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly ap
- CVE-2026-39883 - OpenTelemetry-Go is the Go implementation of OpenTelemetry
- CVE-2026-5795 - In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal
- CVE-2025-14821 - A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of
- CVE-2026-20884 - An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2
- CVE-2026-24450 - An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8d
- CVE-2026-24660 - A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d2031
- CVE-2026-29181 - OpenTelemetry-Go is the Go implementation of OpenTelemetry
- CVE-2026-32144 - Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP design
- CVE-2026-34045 - Podman Desktop is a graphical tool for developing on containers and Kubernetes
- CVE-2026-34580 - Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a mislea
- CVE-2026-39363 - Vite is a frontend tooling framework for JavaScript
- CVE-2026-39364 - Vite is a frontend tooling framework for JavaScript
- CVE-2026-4740 - A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Manageme
- CVE-2026-5732 - Incorrect boundary conditions, integer overflow in the Graphics: Text component
- CVE-2026-5733 - Incorrect boundary conditions in the Graphics: WebGPU component
- CVE-2026-34379 - OpenEXR provides the specification and reference implementation of the EXR file format, an image storage forma
- CVE-2026-34588 - OpenEXR provides the specification and reference implementation of the EXR file format, an image storage forma
- CVE-2026-34982 - Vim is an open source, command line text editor
- CVE-2026-34986 - Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, inc
- CVE-2026-35029 - LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format
- CVE-2026-35172 - Distribution is a toolkit to pack, ship, store, and deliver container content
- CVE-2026-34769 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34771 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34774 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34780 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-35535 - In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege
- CVE-2026-34601 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-34742 - The Go MCP SDK used Go's standard encoding/json
- CVE-2026-34785 - Rack is a modular Ruby web server interface
- CVE-2026-34827 - Rack is a modular Ruby web server interface
- CVE-2026-34829 - Rack is a modular Ruby web server interface
- CVE-2026-35385 - In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to som
- CVE-2026-3872 - A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server,
- CVE-2026-4282 - A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and nam
- CVE-2026-4634 - A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a speciall
- CVE-2026-4636 - A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Acces
- CVE-2026-27489 - Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability
- CVE-2026-34545 - OpenEXR provides the specification and reference implementation of the EXR file format, an image storage forma
- CVE-2026-35093 - A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain
- CVE-2026-34040 - Moby is an open source container framework
- CVE-2026-4800 - Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for th
- CVE-2026-5201 - A flaw was found in the gdk-pixbuf library
- CVE-2026-21710 - A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a heade
- CVE-2026-2370 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18
- CVE-2026-33984 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-33986 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2025-15381 - In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints
- CVE-2025-59032 - ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response
- CVE-2026-24031 - Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin
- CVE-2026-27856 - Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack
- CVE-2026-27858 - Attacker can send a specifically crafted message before authentication that causes managesieve to allocate lar
- CVE-2026-27880 - The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-
- CVE-2026-32695 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2026-33433 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2026-33870 - Netty is an asynchronous, event-driven network application framework
- CVE-2026-33871 - Netty is an asynchronous, event-driven network application framework
- CVE-2026-33891 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33894 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33895 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33896 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33938 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33939 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33940 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33941 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33943 - Happy DOM is a JavaScript implementation of a web browser without its graphical user interface
- CVE-2026-34226 - Happy DOM is a JavaScript implementation of a web browser without its graphical user interface
- CVE-2026-1961 - A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's We
- CVE-2026-28377 - A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config e
- CVE-2026-32285 - The Delete function fails to properly validate offsets when processing malformed JSON input
- CVE-2026-32286 - The DataRow.Decode function fails to properly validate field lengths
- CVE-2026-32748 - Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expect
- CVE-2026-33487 - goxmlsig provides XML Digital Signatures implemented in Go
- CVE-2026-33526 - Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to
- CVE-2026-35633 - OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
- CVE-2026-4926 - Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly bra
- CVE-2025-67030 - Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils
- CVE-2026-1519 - If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may
- CVE-2026-23351 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into u
- CVE-2026-23392 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable af
- CVE-2026-27889 - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system
- CVE-2026-29785 - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system
- CVE-2026-3104 - A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domai
- CVE-2026-33216 - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system
- CVE-2026-33217 - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system
- CVE-2026-33218 - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system
- CVE-2026-33247 - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system
- CVE-2026-3608 - Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons ov
- CVE-2026-27651 - When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests
- CVE-2026-27654 - NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an at
- CVE-2026-27784 - The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which mi
- CVE-2026-32647 - NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an
- CVE-2026-4371 - A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory
- CVE-2026-4684 - Race condition, use-after-free in the Graphics: WebRender component
- CVE-2026-4685 - Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4686 - Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4687 - Sandbox escape due to incorrect boundary conditions in the Telemetry component
- CVE-2026-4690 - Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
- CVE-2026-4693 - Incorrect boundary conditions in the Audio/Video: Playback component
- CVE-2026-4694 - Incorrect boundary conditions, integer overflow in the Graphics component
- CVE-2026-4695 - Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-4697 - Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-4699 - Incorrect boundary conditions in the Layout: Text and Fonts component
- CVE-2026-4775 - A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerabili
- CVE-2026-4598 - Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function
- CVE-2026-4600 - Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signa
- CVE-2026-4601 - Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.cryp
- CVE-2026-4602 - Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types d
- CVE-2026-23272 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump
- CVE-2026-23274 - In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse
- CVE-2026-23278 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pend
- CVE-2026-23536 - A security issue was discovered in the Feast Feature Server's /read-document endpoint that allows an unauthe
- CVE-2026-32829 - lz4_flex is a pure Rust implementation of LZ4 compression/decompression
- CVE-2026-32874 - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+
- CVE-2026-32875 - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+
- CVE-2026-33150 - libfuse is the reference implementation of the Linux FUSE
- CVE-2026-33180 - HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java
- CVE-2026-33231 - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting
- CVE-2026-33236 - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting
- CVE-2026-3029 - A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in P
- CVE-2026-4342 - A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inj
- CVE-2026-4424 - A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processin
- CVE-2026-2092 - A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not pr
- CVE-2026-23242 - In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer deref
- CVE-2026-23243 - In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_
- CVE-2026-23262 - In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue
- CVE-2026-2603 - A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML respons
- CVE-2026-26740 - Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the
- CVE-2026-27135 - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C
- CVE-2026-28500 - Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability
- CVE-2026-31898 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-33001 - Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction
- CVE-2026-32981 - A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2
- CVE-2025-14287 - A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/
- CVE-2026-28498 - Authlib is a Python library which builds OAuth and OpenID Connect servers
- CVE-2026-2920 - GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-2921 - GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-2922 - GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2026-2923 - GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2026-3081 - GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-3082 - GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-3083 - GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2026-3084 - GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability
- CVE-2026-3085 - GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-3086 - GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2026-3644 - The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete
- CVE-2026-32597 - PyJWT is a JSON Web Token implementation in Python
- CVE-2026-4111 - A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within t
- CVE-2023-43010 - The issue was addressed with improved memory handling
- CVE-2026-1526 - The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption durin
- CVE-2026-1528 - ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length
- CVE-2026-2229 - ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of th
- CVE-2026-28356 - multipart is a fast multipart/form-data parser for python
- CVE-2026-32141 - flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase
- CVE-2026-32274 - Black is the uncompromising Python code formatter
- CVE-2026-3497 - Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions
- CVE-2026-31892 - Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernete
- CVE-2026-24294 - Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally
- CVE-2026-26130 - Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny s
- CVE-2026-28691 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-28693 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-30951 - Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB
- CVE-2026-31837 - Istio is an open platform to connect, manage, and secure microservices
- CVE-2026-0846 - A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrar
- CVE-2026-25960 - vLLM is an inference and serving engine for large language models (LLMs)
- CVE-2026-24281 - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validatio
- CVE-2026-24308 - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms all
- CVE-2026-29186 - Backstage is an open framework for building developer portals
- CVE-2026-25679 - url.Parse insufficiently validated the host/authority component and accepted some invalid URLs
- CVE-2026-26017 - CoreDNS is a DNS server that chains plugins
- CVE-2026-26018 - CoreDNS is a DNS server that chains plugins
- CVE-2026-27137 - When verifying a certificate chain which contains a certificate containing multiple email address constraints
- CVE-2026-29062 - jackson-core contains core low-level incremental (streaming) parser and generator abstractions used by Jacks
- CVE-2026-29074 - SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files
- CVE-2026-29091 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes
- CVE-2025-45691 - An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0
- CVE-2025-69534 - Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser
- CVE-2026-1605 - In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a
- CVE-2026-25048 - xgrammar is an open-source library for efficient, flexible, and portable structured generation
- CVE-2026-26999 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2026-29054 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2026-3009 - A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to procee
- CVE-2026-3047 - A flaw was found in org.keycloak.broker.saml
- CVE-2025-15558 - Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that doe
- CVE-2025-71238 - In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing doub
- CVE-2026-0847 - A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in mu
- CVE-2026-23233 - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical
- CVE-2026-23234 - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_i
- CVE-2026-23235 - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs at
- CVE-2026-23236 - In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory
- CVE-2026-3520 - Multer is a node.js middleware for handling multipart/form-data
- CVE-2026-25673 - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29
- CVE-2026-27622 - OpenEXR provides the specification and reference implementation of the EXR file format, an image storage forma
- CVE-2026-3336 - Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certifica
- CVE-2026-3338 - Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature v
- CVE-2026-2359 - Multer is a node.js middleware for handling multipart/form-data
- CVE-2026-28364 - In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c)
- CVE-2026-28400 - Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker
- CVE-2026-28406 - kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster
- CVE-2026-3304 - Multer is a node.js middleware for handling multipart/form-data
- CVE-2026-1693 - The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by
- CVE-2026-27830 - c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objec
- CVE-2026-27896 - The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in ver
- CVE-2026-27959 - Koa is middleware for Node.js using ES2017 async functions
- CVE-2026-26103 - A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUK
- CVE-2026-26955 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-26965 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-27595 - Parse Dashboard is a standalone dashboard for managing Parse Server apps
- CVE-2026-27608 - Parse Dashboard is a standalone dashboard for managing Parse Server apps
- CVE-2026-25794 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-25965 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-25985 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-27483 - MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
- CVE-2026-2769 - Use-after-free in the Storage: IndexedDB component
- CVE-2026-2794 - Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android
- CVE-2026-2798 - Use-after-free in the DOM: Core & HTML component
- CVE-2025-14905 - A flaw was found in the 389-ds-base server
- CVE-2025-67733 - Valkey is a distributed key-value database
- CVE-2026-21863 - Valkey is a distributed key-value database
- CVE-2026-25747 - Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component
- CVE-2026-27623 - Valkey is a distributed key-value database
- CVE-2026-27134 - Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configu
- CVE-2019-25434 - SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash
- CVE-2026-0797 - GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-2033 - MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
- CVE-2026-2044 - GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability
- CVE-2026-2045 - GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2026-2047 - GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-2048 - GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2026-2472 - Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (
- CVE-2026-2492 - TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
- CVE-2026-2635 - MLflow Use of Default Password Authentication Bypass Vulnerability
- CVE-2026-2818 - A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers
- CVE-2026-25535 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-25755 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-25940 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-26200 - HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an h5 file parsed
- CVE-2026-26278 - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C+
- CVE-2026-26280 - systeminformation is a System and OS information library for node.js
- CVE-2026-26318 - systeminformation is a System and OS information library for node.js
- CVE-2025-14009 - A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions
- CVE-2025-71231 - In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in f
- CVE-2026-22860 - Rack is a modular Ruby web server interface
- CVE-2026-23216 - In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in
- CVE-2026-23221 - In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_
- CVE-2026-23222 - In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CRYPTO_FORCE_
- CVE-2026-23230 - In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to
- CVE-2026-24708 - An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1
- CVE-2026-24734 - Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat
- CVE-2026-2447 - Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox
- CVE-2025-71220 - In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close()
- CVE-2026-23169 - In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs
- CVE-2026-23180 - In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id i
- CVE-2026-23185 - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_
- CVE-2026-23193 - In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in
- CVE-2026-23198 - In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when
- CVE-2026-23111 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask
- CVE-2023-31313 - An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attac
- CVE-2026-2004 - Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an
- CVE-2026-2005 - Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the oper
- CVE-2026-2006 - Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to iss
- CVE-2026-2007 - Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted inp
- CVE-2026-25949 - Traefik is an HTTP reverse proxy and load balancer
- CVE-2020-37196 - Dnss Domain Name Search Software contains a denial of service vulnerability that allows attackers to crash the
- CVE-2020-37197 - Dnss Domain Name Search Software contains a denial of service vulnerability that allows attackers to crash the
- CVE-2020-37199 - NBMonitor 1.6.6.0 contains a denial of service vulnerability in its registration key input that allows attacke
- CVE-2020-37200 - NetShareWatcher 1.5.8.0 contains a buffer overflow vulnerability in the registration key input that allows att
- CVE-2020-37201 - NetShareWatcher 1.5.8.0 contains a buffer overflow vulnerability in the registration name input that allows at
- CVE-2020-37204 - RemShutdown 2.9.0.0 contains a denial of service vulnerability in its registration key input that allows attac
- CVE-2020-37205 - RemShutdown 2.9.0.0 contains a denial of service vulnerability that allows attackers to crash the application
- CVE-2020-37206 - ShareAlarmPro contains a denial of service vulnerability that allows attackers to crash the application by sup
- CVE-2020-37207 - SpotDialup 1.6.7 contains a denial of service vulnerability in the registration key input field that allows at
- CVE-2020-37208 - SpotFTP 3.0.0.0 contains a buffer overflow vulnerability in the registration key input field that allows attac
- CVE-2020-37209 - SpotFTP 3.0.0.0 contains a denial of service vulnerability in the registration name input field that allows at
- CVE-2020-37210 - SpotIE 2.9.5 contains a denial of service vulnerability in the registration key input that allows attackers to
- CVE-2020-37211 - SpotIM 2.2 contains a denial of service vulnerability that allows attackers to crash the application by inputt
- CVE-2020-37212 - SpotMSN 2.4.6 contains a denial of service vulnerability in the registration name input field that allows atta
- CVE-2026-1669 - Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 o
- CVE-2026-1837 - A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory
- CVE-2026-20652 - The issue was addressed with improved memory handling
- CVE-2026-25990 - Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when
- CVE-2026-26157 - A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attack
- CVE-2026-26158 - A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended ext
- CVE-2025-35998 - Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some
- CVE-2026-25506 - MUNGE is an authentication service for creating and validating user credentials
- CVE-2026-25646 - LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network
- CVE-2026-1486 - A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fail
- CVE-2026-1529 - A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and
- CVE-2026-24678 - FreeRDP is a free implementation of the Remote Desktop Protocol
- CVE-2026-25639 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-25580 - Pydantic AI is a Python agent framework for building applications and workflows with Generative AI
- CVE-2026-25640 - Pydantic AI is a Python agent framework for building applications and workflows with Generative AI
- CVE-2025-61732 - A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo
- CVE-2026-23074 - In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be u
- CVE-2026-25521 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes
- CVE-2026-25536 - MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients
- CVE-2020-37094 - EspoCRM 5.7.0 prior to 5.9.0 contains an authentication token reuse vulnerability that allows authenticated at
- CVE-2026-25223 - Fastify is a fast and low overhead web framework, for Node.js
- CVE-2026-1530 - A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (
- CVE-2026-1531 - A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL ve
- CVE-2026-1761 - A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multi
- CVE-2026-24737 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2024-4027 - A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() ca
- CVE-2025-24293 - # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use
- CVE-2026-25153 - Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides co
- CVE-2025-57283 - The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability
- CVE-2025-61726 - The net/url package does not set a limit on the number of query parameters in a query
- CVE-2025-61731 - Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial
- CVE-2026-24842 - node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for h
- CVE-2025-15467 - Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters
- CVE-2026-21720 - Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image
- CVE-2026-21721 - The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permis
- CVE-2026-24486 - Python-Multipart is a streaming multipart parser for Python
- CVE-2026-24747 - PyTorch is a Python package that provides tensor computation
- CVE-2026-24779 - vLLM is an inference and serving engine for large language models (LLMs)
- CVE-2026-24869 - Use-after-free in the Layout: Scrolling and Overflow component
- CVE-2026-24881 - In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key
- CVE-2026-24882 - In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT co
- CVE-2025-14459 - A flaw was found in KubeVirt Containerized Data Importer (CDI)
- CVE-2026-23864 - Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages:
- CVE-2025-15059 - GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2026-0603 - A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injectio
- CVE-2026-0775 - npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability
- CVE-2026-0994 - A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the
- CVE-2026-1260 - Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is n
- CVE-2026-20736 - Gitea does not properly verify repository context when deleting attachments
- CVE-2026-24001 - jsdiff is a JavaScript text differencing implementation
- CVE-2026-24049 - wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427
- CVE-2025-13878 - Malformed BRID/HHIT records can cause named to terminate unexpectedly
- CVE-2026-22822 - External Secrets Operator reads information from a third-party service and automatically injects the values as
- CVE-2026-24046 - Backstage is an open framework for building developer portals
- CVE-2025-55131 - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted,
- CVE-2025-59465 - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggeri
- CVE-2026-21932 - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Orac
- CVE-2026-21945 - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Orac
- CVE-2026-23876 - ImageMagick is free and open-source software used for editing and manipulating digital images
- CVE-2026-23950 - node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3
- CVE-2025-68616 - WeasyPrint helps web developers to create PDF documents
- CVE-2021-47814 - NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by o
- CVE-2021-47839 - Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious
- CVE-2026-23490 - pyasn1 is a generic ASN.1 library for Python
- CVE-2026-0897 - Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0
- CVE-2026-22774 - Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficien
- CVE-2026-22775 - Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficien
- CVE-2026-0532 - External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow a
- CVE-2025-71089 - In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set
- CVE-2026-0877 - Mitigation bypass in the DOM: Security component
- CVE-2026-0878 - Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
- CVE-2026-0880 - Sandbox escape due to integer overflow in the Graphics component
- CVE-2026-0882 - Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox
- CVE-2026-0891 - Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
- CVE-2025-15514 - Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi
- CVE-2026-22771 - Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based applicati
- CVE-2025-68493 - Missing XML Validation vulnerability in Apache Struts, Apache Struts
- CVE-2025-59057 - React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0
- CVE-2026-21884 - React Router is a router for React. In @remix-run/react version prior to 2.17.3
- CVE-2026-22029 - React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 throug
- CVE-2025-13761 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before
- CVE-2025-13772 - GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3
- CVE-2025-9222 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 1
- CVE-2025-50334 - An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-li
- CVE-2025-65518 - Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition
- CVE-2026-0719 - A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other
- CVE-2025-69263 - pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs
- CVE-2025-69264 - pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary co
- CVE-2026-21441 - urllib3 is an HTTP client library for Python
- CVE-2026-22184 - zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under
- CVE-2025-68428 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2025-69223 - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
- CVE-2025-67269 - An integer underflow vulnerability exists in the nextstate() function in gpsd/packet.c of gpsd versions pr
- CVE-2025-11157 - A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in
- CVE-2025-2515 - A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS
- CVE-2025-14523 - A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occur
- CVE-2025-66287 - A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to i
- CVE-2025-13947 - A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can
- CVE-2025-13601 - A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the
- CVE-2025-13502 - A flaw was found in WebKitGTK and WPE WebKit
- CVE-2025-13609 - A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new ag
- CVE-2025-61662 - A Use-After-Free vulnerability has been discovered in GRUB's gettext module
- CVE-2025-59088 - If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration,
- CVE-2025-30398 - Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a net
- CVE-2025-43433 - The issue was addressed with improved memory handling
- CVE-2025-62230 - A flaw was discovered in the X.Org X server’s X Keyboard (Xkb) extension when handling client resource cleanup
- CVE-2025-62231 - A flaw was identified in the X.Org X server’s X Keyboard (Xkb) extension where improper bounds checking in the
- CVE-2025-40082 - In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hf
- CVE-2025-12105 - A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and W
- CVE-2023-53673 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect call
- CVE-2025-11021 - A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other
- CVE-2025-9900 - A flaw was found in Libtiff. This vulnerability is a write-what-where condition, triggered when the library
- CVE-2025-5962 - A flaw was found in the Lightspeed history service
- CVE-2025-4953 - A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during
- CVE-2025-9566 - There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when
- CVE-2025-9784 - Undertow MadeYouReset HTTP/2 DDoS Vulnerability
- CVE-2025-8067 - A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-B
- CVE-2023-32256 - A flaw was found in the Linux kernel's ksmbd component
- CVE-2025-7443 - The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and Ja
- CVE-2025-31277 - The issue was addressed with improved memory handling
- CVE-2025-4056 - A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spa
- CVE-2025-8101 - Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
- CVE-2025-6018 - A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Auth
- CVE-2025-6965 - There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed
- CVE-2025-7424 - A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input da
- CVE-2025-7425 - A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts interna
- CVE-2025-7345 - A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’
- CVE-2025-7346 - pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
- CVE-2025-5987 - A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library
- CVE-2025-38201 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum m
- CVE-2025-5318 - A flaw was found in the libssh library in versions less than 0.11.2
- CVE-2025-6032 - A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloadi
- CVE-2025-44203 - In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before se
- CVE-2025-6019 - A Local Privilege Escalation (LPE) vulnerability was found in libblockdev
- CVE-2025-49176 - A flaw was found in the Big Requests extension
- CVE-2025-49179 - A flaw was found in the X Record extension
- CVE-2025-49180 - A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validat
- CVE-2025-6020 - A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper pr
- CVE-2025-49795 - A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions
- CVE-2025-6021 - A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can
- CVE-2025-5914 - A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar
- CVE-2025-48796 - A flaw was found in GIMP. The GIMP ani_load_image() function is vulnerable to a stack-based overflow
- CVE-2025-48797 - A flaw was found in GIMP when processing certain TGA image files
- CVE-2025-48798 - A flaw was found in GIMP when processing XCF image files
- CVE-2025-5222 - A stack buffer overflow was found in Internationl components for unicode (ICU )
- CVE-2025-5024 - A flaw was found in gnome-remote-desktop
- CVE-2025-4948 - A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commo
- CVE-2025-31223 - The issue was addressed with improved checks
- CVE-2025-37822 - In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after
- CVE-2025-37778 - In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krb_authent
- CVE-2025-3891 - A flaw was found in the mod_auth_openidc module for Apache httpd
- CVE-2025-46397 - A flaw was found in xfig. This vulnerability allows possible code execution via local input manipulation via b
- CVE-2025-32906 - A flaw was found in libsoup, where the soup_headers_parse_request() function may be vulnerable to an out-of-bo
- CVE-2025-32908 - A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers
- CVE-2025-32913 - A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable t
- CVE-2025-32914 - A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-b
- CVE-2025-2784 - A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via th
- CVE-2025-3155 - A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary script
- CVE-2025-32049 - A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause
- CVE-2025-24196 - A type confusion issue was addressed with improved memory handling
- CVE-2024-8176 - A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expan
- CVE-2025-23368 - A flaw was found in Wildfly Elytron integration
- CVE-2024-45782 - A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesyst
- CVE-2025-0678 - A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-con
- CVE-2025-0689 - When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadat
- CVE-2025-1125 - When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the
- CVE-2025-26594 - A use-after-free flaw was found in X.Org and Xwayland
- CVE-2025-26595 - A buffer overflow flaw was found in X.Org and Xwayland
- CVE-2025-26596 - A heap overflow flaw was found in X.Org and Xwayland
- CVE-2025-26597 - A buffer overflow flaw was found in X.Org and Xwayland
- CVE-2025-26598 - An out-of-bounds write flaw was found in X.Org and Xwayland
- CVE-2025-26599 - An access to an uninitialized pointer flaw was found in X.Org and Xwayland
- CVE-2025-26600 - A use-after-free flaw was found in X.Org and Xwayland
- CVE-2025-26601 - A use-after-free flaw was found in X.Org and Xwayland
- CVE-2025-0624 - A flaw was found in grub2. During the network boot process, when trying to search for the configuration file,
- CVE-2025-1244 - A command injection flaw was found in the text editor Emacs
- CVE-2024-11218 - A vulnerability was found in podman build and buildah. This issue occurs in a container breakout by using
- CVE-2024-45331 - A incorrect privilege assignment vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.3, FortiAnalyzer 7
- CVE-2024-12085 - A flaw was found in rsync which could be triggered when rsync compares file checksums
- CVE-2024-48884 - A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet For
- CVE-2025-0306 - A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack
- CVE-2024-52009 - Git credentials are exposed in Atlantis logs
- CVE-2024-38286 - Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability
- CVE-2024-9675 - A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the
- CVE-2024-8418 - A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processi
- CVE-2024-21522 - All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is prov
- CVE-2024-21523 - All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input
- CVE-2024-23667 - An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebMana
- CVE-2024-23668 - An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebMana
- CVE-2024-23670 - An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebMana
- CVE-2024-35862 - In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_
- CVE-2024-3727 - A flaw was found in the github.com/containers/image library
- CVE-2024-22257 - In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, vers
- CVE-2023-42790 - A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2
- CVE-2024-21490 - This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0
- CVE-2024-21626 - runc is a CLI tool for spawning and running containers on Linux according to the OCI specification
- CVE-2023-40547 - A remote code execution vulnerability was found in Shim
- CVE-2023-45815 - Viewing wget extractor output while logged in as an admin allows archived JS to execute in the admins context
- CVE-2023-38950 - A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to
- CVE-2023-3640 - A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU d
- CVE-2023-2373 - A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6
- CVE-2023-2374 - A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6
- CVE-2023-2375 - A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6
- CVE-2023-2376 - A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6
- CVE-2023-2377 - A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6
- CVE-2023-2378 - A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6
- CVE-2022-21952 - A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUS
- CVE-2022-30065 - A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when pr
- CVE-2016-0750 - Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization
- CVE-2022-23913 - Apache ActiveMQ Artemis Uncontrolled Resource Consumption (DoS)
- CVE-2021-26118 - Apache ActiveMQ Artemis vulnerable to Improper Access Control
- CVE-2021-29441 - Nacos is a platform designed for dynamic service discovery and configuration and service management
- CVE-2021-25296 - Nagios XI version xi-5.7.5 is affected by OS command injection
- CVE-2021-25297 - Nagios XI version xi-5.7.5 is affected by OS command injection
- CVE-2021-25298 - Nagios XI version xi-5.7.5 is affected by OS command injection
- CVE-2020-26868 - ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability
- CVE-2020-26869 - ARC Informatique PcVue prior to version 12.0.17 is vulnerable to information exposure, allowing unauthorized u
- CVE-2019-16869 - HTTP Request Smuggling in Netty
- CVE-2019-14749 - An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1
- CVE-2018-10902 - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a doubl
- CVE-2018-1259 - Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1
- CVE-2018-1274 - Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a propert
- CVE-2018-7195 - Enhancesoft osTicket before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated e-
- CVE-2016-6650 - EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtual Machines versions prior to 5.0 have an