Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,328
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1 - 20 of 39,613 CVEs
CVE-2026-61344 MEDIUM - 5.3

The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication.

Vendor: Superior Court of California, County of Los Angeles
Product: Hearing Reminder Service
Published: Jul 09, 2026
Source: NVD
CVE-2026-61343 HIGH - 7.2

LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.

Vendor: LibreBooking
Product: LibreBooking
Published: Jul 09, 2026
Source: NVD
CVE-2026-59827 CRITICAL - 9.9

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of ...

Vendor: metabase
Product: metabase
Published: Jul 09, 2026
Source: NVD
CVE-2026-59826 CRITICAL - 9.1

Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 dat...

Vendor: metabase
Product: metabase
Published: Jul 09, 2026
Source: NVD
CVE-2026-59817 MEDIUM - 5.3

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or steali...

Vendor: TryGhost
Product: Ghost
Published: Jul 09, 2026
Source: NVD
CVE-2026-59734 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_chec...

Vendor: coollabsio
Product: coolify
Published: Jul 09, 2026
Source: NVD
CVE-2026-59726 CRITICAL - 10.0

Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminal_execute, obt...

Vendor: ruvnet
Product: ruflo
Published: Jul 09, 2026
Source: NVD
CVE-2026-59721 HIGH - 7.2

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sen...

Vendor: hoppscotch
Product: hoppscotch
Published: Jul 09, 2026
Source: NVD
CVE-2026-59720 HIGH - 7.5

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without auth...

Vendor: hoppscotch
Product: hoppscotch
Published: Jul 09, 2026
Source: NVD
CVE-2026-59221 HIGH - 7.7

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks...

Vendor: open-webui
Product: open-webui
Published: Jul 09, 2026
Source: NVD
CVE-2026-58378 HIGH - 8.8

Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.

Vendor: Allwinner
Product: H616
Published: Jul 09, 2026
Source: NVD
CVE-2026-55420 HIGH - 7.5

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Vendor: discourse
Product: discourse
Published: Jul 09, 2026
Source: NVD

An authenticated administrator may be able to achieve arbitrary code execution on the host system by uploading a malicious file through the Open Source LLM setup feature in the Admin Console. This vulnerability has been addressed in FileMaker Server 26.0.1.

Vendor: Claris
Product: FileMaker Server
Published: Jul 09, 2026
Source: NVD
CVE-2026-15204 MEDIUM - 5.3

A vulnerability was detected in TOTOLINK X5000R 9.1.0cu.2415_B20250515/9.1.0cu.2350_B20230313. Affected by this vulnerability is the function exportOvpn of the file /web/cgi-bin/cstecgi.cgi of the component OpenVPN Export. The manipulation results in path traversal. The attack may be launched remote...

Vendor: TOTOLINK
Product: X5000R
Published: Jul 09, 2026
Source: NVD
CVE-2026-15202 MEDIUM - 4.3

A security vulnerability has been detected in YzmCMS up to 7.5. Affected is the function get_url of the file /yzmphp/yzmphp.php of the component Header Handler. The manipulation of the argument HTTP_HOST leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclo...

Product: YzmCMS
Published: Jul 09, 2026
Source: NVD
CVE-2026-15195 MEDIUM - 6.3

A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely...

Vendor: apidevtools
Product: json-schema-ref-parser
Published: Jul 09, 2026
Source: NVD

Rejected reason: After further coordination, CVE was determined to not be warranted.

Published: Jul 09, 2026
Source: NVD

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring ...

Vendor: open-webui
Product: open-webui
Published: Jul 09, 2026
Source: NVD
CVE-2026-59227 MEDIUM - 4.3

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to invoke...

Vendor: open-webui
Product: open-webui
Published: Jul 09, 2026
Source: NVD

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants ...

Vendor: open-webui
Product: open-webui
Published: Jul 09, 2026
Source: NVD