Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,264
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 241 - 260 of 1,570 CVEs

A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/add_tod of the component Dashboard Interface. The manipulation of the argument todo_data leads to cross site scripting. The attack may be init...

Vendor: CodeAstro
Product: Human Resource Management System
Published: Jun 12, 2026
Source: NVD

Tornado has out-of-bounds memory access via C extension

Vendor: pip
Product: tornado
Published: Jun 12, 2026
Source: GitHub

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPA...

Vendor: swift
Product: github.com/apple/swift-nio-http2
Published: Jun 12, 2026
Source: GitHub

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical de...

Vendor: Groww
Product: Stock, Mutual Fund, Gold App
Published: Jun 12, 2026
Source: NVD
CVE-2026-9269 LOW - 3.5

The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for exam...

Published: Jun 12, 2026
Source: NVD

Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Vendor: Google
Product: Chrome
Published: Jun 11, 2026
Source: NVD

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Vendor: Google
Product: Chrome
Published: Jun 11, 2026
Source: NVD

OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider pol...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack i...

Vendor: TwiN
Product: gatus
Published: Jun 11, 2026
Source: NVD
CVE-2026-9694 LOW - 2.6

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially cr...

Vendor: gitlab
Product: gitlab
Published: Jun 11, 2026
Source: NVD
CVE-2026-6976 LOW - 3.7

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to imp...

Vendor: gitlab
Product: gitlab
Published: Jun 11, 2026
Source: NVD
CVE-2026-3553 LOW - 3.1

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.

Vendor: gitlab
Product: gitlab
Published: Jun 11, 2026
Source: NVD

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective...

Vendor: Spring
Product: Spring Web Services
Published: Jun 11, 2026
Source: NVD

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, cr...

Vendor: rikyoz
Product: bit7z
Published: Jun 10, 2026
Source: NVD

A person with access to a Mac may be able to bypass Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4.

Vendor: Apple
Product: macOS Monterey
Published: Jun 10, 2026
Source: NVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir...

Vendor: fission
Product: fission
Published: Jun 10, 2026
Source: NVD

Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak C...

Vendor: nationalsecurityagency
Product: ghidra
Published: Jun 10, 2026
Source: NVD

Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting ...

Vendor: nationalsecurityagency
Product: ghidra
Published: Jun 10, 2026
Source: NVD

Papra HTTP redirect bypass can lead to SSRF via webhook delivery system

Vendor: npm
Product: @papra/webhooks
Published: Jun 10, 2026
Source: GitHub
CVE-2026-9060 LOW - 3.5

The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks eve...

Published: Jun 10, 2026
Source: NVD