Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,470
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 2,441 - 2,460 of 40,240 CVEs
CVE-2026-6688 HIGH - 7.6

FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy w...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6687 HIGH - 7.6

FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The e...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6686 MEDIUM - 4.6

FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The ...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6685 MEDIUM - 6.1

FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6684 MEDIUM - 4.6

FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated ...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6683 MEDIUM - 4.6

FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivere...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6682 HIGH - 7.6

In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vecto...

Vendor: elm-chan
Product: fatfs
Published: Jul 01, 2026
Source: NVD
CVE-2026-6283 MEDIUM - 5.4

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from v.4.8.2.23 before v.4.8.3.1.

Published: Jul 01, 2026
Source: NVD
CVE-2026-5220 MEDIUM - 6.4

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.23 before v.4.8.3.1.

Published: Jul 01, 2026
Source: NVD
CVE-2026-5142 MEDIUM - 6.5

A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in mult...

Published: Jul 01, 2026
Source: NVD
CVE-2026-5138 MEDIUM - 4.3

A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypa...

Published: Jul 01, 2026
Source: NVD
CVE-2026-5135 MEDIUM - 6.5

A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authori...

Published: Jul 01, 2026
Source: NVD

@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth...

Vendor: antonio-castellon
Product: module-auth
Published: Jul 01, 2026
Source: NVD

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.

Vendor: Wikimedia Foundation
Product: MediaWiki
Published: Jul 01, 2026
Source: NVD

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue. This issu...

Vendor: Wikimedia Foundation
Product: CheckUser
Published: Jul 01, 2026
Source: NVD

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki...

Vendor: Wikimedia Foundation
Product: MediaWiki
Published: Jul 01, 2026
Source: NVD

The following Poly Voice IP devices, CCX, Trio, and Edge E, might be inoperable if they connect to a malicious SIP server and receive malformed data. HP is releasing updates to mitigate these potential vulnerabilities.

Published: Jul 01, 2026
Source: NVD
CVE-2026-23537 CRITICAL - 9.1

A vulnerability has been identified in the Feast Feature Server’s `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabli...

Vendor: Feast, Red Hat
Product: Feast Feature Server, Red Hat OpenShift AI (RHOAI)
Published: Jul 01, 2026
Source: NVD
CVE-2026-14330 MEDIUM - 5.5

Multiple unbounded alloca() calls in the PulseAudio protocol server.

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 01, 2026
Source: NVD
CVE-2026-14324 MEDIUM - 6.5

RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 01, 2026
Source: NVD