Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,264
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 201 - 220 of 1,570 CVEs

The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

Vendor: Black Lantern Security
Product: BBOT
Published: Jun 17, 2026
Source: NVD

The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication req...

Vendor: Black Lantern Security
Product: BBOT
Published: Jun 17, 2026
Source: NVD
CVE-2026-6733 LOW - 3.7

Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, ...

Vendor: npm
Product: undici
Published: Jun 17, 2026
Source: NVD

snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.

Vendor: Snes9X team
Product: Snes9X
Published: Jun 17, 2026
Source: NVD

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSit...

Vendor: undici
Product: undici
Published: Jun 17, 2026
Source: NVD

Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information discl...

Vendor: Dell
Product: PowerFlex
Published: Jun 17, 2026
Source: NVD

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permiss...

Vendor: npm
Product: @mariozechner/pi-coding-agent
Published: Jun 17, 2026
Source: GitHub

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Jun 17, 2026
Source: NVD
CVE-2026-0057 LOW - 3.3

In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Jun 17, 2026
Source: NVD

HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity

Vendor: HCL Software
Product: iControl
Published: Jun 17, 2026
Source: NVD

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromis...

Vendor: oracle
Product: vm_virtualbox
Published: Jun 17, 2026
Source: NVD

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...

Vendor: oracle
Product: vm_virtualbox
Published: Jun 17, 2026
Source: NVD

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromis...

Vendor: oracle
Product: vm_virtualbox
Published: Jun 17, 2026
Source: NVD

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromis...

Vendor: oracle
Product: vm_virtualbox
Published: Jun 17, 2026
Source: NVD

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass the c...

Vendor: npm
Product: @mariozechner/pi-coding-agent
Published: Jun 16, 2026
Source: GitHub
CVE-2026-0158 LOW - 3.3

In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Jun 16, 2026
Source: NVD
CVE-2026-0145 LOW - 3.3

In keymint, there is a possible Permission Bypass due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Jun 16, 2026
Source: NVD
CVE-2026-0142 LOW - 3.3

In iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Jun 16, 2026
Source: NVD
CVE-2026-0134 LOW - 3.3

In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Jun 16, 2026
Source: NVD
CVE-2026-0130 LOW - 3.5

In RtcpChunk::decodeRtcpChunk, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

Vendor: google
Product: android
Published: Jun 16, 2026
Source: NVD