Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,528
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,281 - 2,300 of 40,198 CVEs

repomix: attach_packed_output can bypass file-read secret scanning for supported local files

Vendor: npm
Product: repomix
Published: Jul 01, 2026
Source: GitHub

Concourse login flow has an open redirect issue

Vendor: go
Product: github.com/concourse/concourse
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49987 HIGH - 8.8

repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

Vendor: npm
Product: repomix
Published: Jul 01, 2026
Source: GitHub

Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`

Vendor: composer
Product: twig/twig
Published: Jul 01, 2026
Source: GitHub

Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`

Vendor: pip
Product: neuro-cortex-memory
Published: Jul 01, 2026
Source: GitHub

wetty vulnerable to DOM XSS via file-download filename

Vendor: npm
Product: wetty
Published: Jul 01, 2026
Source: GitHub
CVE-2026-5051 MEDIUM - 4.4

HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

Published: Jul 01, 2026
Source: NVD
CVE-2026-58521 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - Cargo Extension
Published: Jul 01, 2026
Source: NVD

URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing. This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - UrlShortener Extension
Published: Jul 01, 2026
Source: NVD
CVE-2026-57737 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16.

Vendor: Averta LTD
Product: Shortcodes and extra features for Phlox theme
Published: Jul 01, 2026
Source: NVD
CVE-2026-57736 HIGH - 7.4

Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data. This issue affects HubSpot: from n/a through 11.3.51.

Vendor: HubSpot
Product: HubSpot
Published: Jul 01, 2026
Source: NVD
CVE-2026-57723 HIGH - 7.4

Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal. This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.

Vendor: e4jvikwp
Product: VikBooking Hotel Booking Engine & PMS
Published: Jul 01, 2026
Source: NVD
CVE-2026-57722 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS. This issue affects Enable Media Replace: from n/a through 4.2.1.

Vendor: ShortPixel
Product: Enable Media Replace
Published: Jul 01, 2026
Source: NVD
CVE-2026-54428 HIGH - 7.5

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 S...

Vendor: Apache Software Foundation
Product: Apache HttpComponents Core
Published: Jul 01, 2026
Source: NVD
CVE-2026-51946 MEDIUM - 6.5

SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the the __sort_type URL parameter on all /admin/info/{table} endpoints

Published: Jul 01, 2026
Source: NVD
CVE-2026-49091 HIGH - 8.0

Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal th...

Vendor: elastic
Product: kibana
Published: Jul 01, 2026
Source: NVD
CVE-2026-49090 MEDIUM - 6.5

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process reques...

Vendor: elastic
Product: elasticsearch
Published: Jul 01, 2026
Source: NVD
CVE-2026-49857 HIGH - 7.4

auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback

Vendor: npm
Product: auth-fetch-mcp
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49856 MEDIUM - 4.3

@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization

Vendor: npm
Product: @jshookmcp/jshook
Published: Jul 01, 2026
Source: GitHub
CVE-2026-46487 HIGH - 7.5

GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field

Vendor: maven
Product: org.geonetwork-opensource:geonetwork
Published: Jul 01, 2026
Source: GitHub