Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,529
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,241 - 2,260 of 40,198 CVEs
CVE-2026-44936 MEDIUM - 5.0

Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (BasicAuth) to any URL specified in the he...

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-44937 HIGH - 7.5

Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the system...

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-44938 HIGH - 8.8

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace. An attacker with git push access to a Fleet-mon...

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49457 CRITICAL - 9.1

QUIC has Broken TLS verification

Vendor: erlang
Product: quic
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49998 HIGH - 8.2

Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass

Vendor: go
Product: github.com/centrifugal/centrifugo/v6
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49997 MEDIUM - 5.4

SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted

Vendor: rust
Product: surrealdb
Published: Jul 01, 2026
Source: GitHub
CVE-2026-58593 HIGH - 7.5

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo i...

Vendor: nodebb
Product: nodebb
Published: Jul 01, 2026
Source: NVD
CVE-2026-58592 HIGH - 8.3

Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose hos...

Vendor: LadybirdBrowser
Product: Ladybird
Published: Jul 01, 2026
Source: NVD
CVE-2026-58457 CRITICAL - 9.8

Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers...

Vendor: Shenzhen Aitemi E Commerce Co. Ltd.
Product: M300 Wi-Fi Repeater
Published: Jul 01, 2026
Source: NVD
CVE-2026-55688 MEDIUM - 4.0

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without ver...

Vendor: AsyncHttpClient
Product: async-http-client
Published: Jul 01, 2026
Source: NVD

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Versions prior to 3.1.4 are vulnerable to Remote Denial of Service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message. This issue has been fixed in version 3.1.4.

Vendor: pion
Product: dtls
Published: Jul 01, 2026
Source: NVD
CVE-2026-54164 MEDIUM - 6.5

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unin...

Vendor: api-platform
Product: core
Published: Jul 01, 2026
Source: NVD
CVE-2026-49858 MEDIUM - 5.9

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per requ...

Vendor: api-platform
Product: core, api-platform/hal, api-platform/json-api
Published: Jul 01, 2026
Source: NVD
CVE-2026-14363 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - Cargo Extension
Published: Jul 01, 2026
Source: NVD
CVE-2026-14265 HIGH - 7.5

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted...

Vendor: AWS
Product: AWS Advanced JDBC Wrapper
Published: Jul 01, 2026
Source: NVD
CVE-2026-48815 HIGH - 7.5

sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced

Vendor: npm
Product: sigstore
Published: Jul 01, 2026
Source: GitHub
CVE-2026-48816 MEDIUM - 6.5

sigstore-js has Insufficient Verification of Data Authenticity

Vendor: npm
Product: @sigstore/verify
Published: Jul 01, 2026
Source: GitHub

CrateDB's Blob HTTP handler bypasses authorization

Vendor: maven
Product: io.crate:crate
Published: Jul 01, 2026
Source: GitHub

Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass. This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - WikiLambda Extension
Published: Jul 01, 2026
Source: NVD
CVE-2026-58451 MEDIUM - 6.5

Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation...

Vendor: horde
Product: imp
Published: Jul 01, 2026
Source: NVD