Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,268
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 181 - 200 of 1,570 CVEs

GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization.

Vendor: GNU
Product: Savane
Published: Jun 20, 2026
Source: NVD

Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishi...

Vendor: Capgo
Product: Capgo
Published: Jun 20, 2026
Source: NVD

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause uninte...

Vendor: Capgo
Product: Capgo
Published: Jun 20, 2026
Source: NVD

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator'...

Vendor: Capgo
Product: Capgo
Published: Jun 20, 2026
Source: NVD

SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Vendor: go
Product: github.com/authzed/spicedb
Published: Jun 19, 2026
Source: GitHub

OpenBao's System Backend allows Unauthorized Management of the containing Namespace

Vendor: go
Product: github.com/openbao/openbao
Published: Jun 19, 2026
Source: GitHub

OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} β€” incomplete fix of CVE-2026-45808

Vendor: go
Product: github.com/openbao/openbao
Published: Jun 19, 2026
Source: GitHub

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be...

Vendor: authelia
Product: authelia
Published: Jun 19, 2026
Source: NVD

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can...

Vendor: rubygems
Product: concurrent-ruby
Published: Jun 19, 2026
Source: GitHub

concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are use...

Vendor: rubygems
Product: concurrent-ruby
Published: Jun 19, 2026
Source: GitHub

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, the CoreWCF WS-Security 1.0 receive pipeline validates ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite but does not validate each ds:Reference DigestMet...

Vendor: nuget
Product: CoreWCF.Primitives
Published: Jun 19, 2026
Source: GitHub

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` β€” invoked from `__destruct()` and from a registered shutdown function β€” calls `unlink()` on every entry with...

Vendor: pontedilana
Product: php-weasyprint
Published: Jun 19, 2026
Source: NVD
CVE-2026-9143 LOW - 3.7

There is an incorrect conversion between numeric types vulnerability in NI grpc-device due to missing range checks inΒ CodeGen.Β  This may silently discard high bits if a size value exceeded the target type's range. This affects NI grpc-device 2.17.0 and prior versions.

Vendor: ni
Product: instrumentstudio
Published: Jun 19, 2026
Source: NVD

HTML injection in pgAdmin 4's cloud deployment module. The verify_credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text β€” and the related file-resolution and database-commi...

Vendor: pgadmin.org
Product: pgAdmin 4
Published: Jun 19, 2026
Source: NVD

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22*...

Vendor: nodejs
Product: node
Published: Jun 18, 2026
Source: NVD

OpenFGA Improper Policy Enforcement

Vendor: go
Product: github.com/openfga/openfga
Published: Jun 18, 2026
Source: GitHub

PGHoard: Password written to debug log

Vendor: pip
Product: pghoard
Published: Jun 18, 2026
Source: GitHub

ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers

Vendor: go
Product: github.com/zitadel/zitadel
Published: Jun 18, 2026
Source: GitHub

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user cont...

Vendor: stiofansisland
Product: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Published: Jun 18, 2026
Source: NVD

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transforma...

Vendor: SteeltoeOSS
Product: Steeltoe.Configuration.Encryption
Published: Jun 17, 2026
Source: NVD