Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,273
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 241 - 260 of 39,631 CVEs

BLF file parser in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows possible information disclosure

Vendor: Wireshark Foundation
Product: Wireshark
Published: Jul 08, 2026
Source: NVD
CVE-2026-10037 HIGH - 8.8

A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-de...

Vendor: Canonical
Product: Ubuntu
Published: Jul 08, 2026
Source: NVD
CVE-2026-8472 MEDIUM - 4.3

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missi...

Published: Jul 08, 2026
Source: NVD
CVE-2026-7492 MEDIUM - 4.3

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6896 HIGH - 8.7

GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser ...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6352 LOW - 2.7

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorizatio...

Published: Jul 08, 2026
Source: NVD
CVE-2026-60105 HIGH - 8.6

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtai...

Vendor: Monsta Limited of New Zealand
Product: Monsta FTP
Published: Jul 08, 2026
Source: NVD
CVE-2026-59818 MEDIUM - 6.5

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRP...

Vendor: etcd-io
Product: etcd
Published: Jul 08, 2026
Source: NVD
CVE-2026-58525 HIGH - 8.2

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

Vendor: microsoft
Product: edge_chromium
Published: Jul 08, 2026
Source: NVD
CVE-2026-58494 MEDIUM - 6.5

Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite ho...

Vendor: bytecodealliance
Product: wasmtime
Published: Jul 08, 2026
Source: NVD
CVE-2026-58211 MEDIUM - 5.4

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restr...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58208 MEDIUM - 6.8

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with acce...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58207 HIGH - 7.7

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal ari...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58192 HIGH - 8.6

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() with...

Vendor: appium
Product: appium
Published: Jul 08, 2026
Source: NVD
CVE-2026-58191 MEDIUM - 6.5

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate re...

Vendor: appium
Product: appium
Published: Jul 08, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber...

Vendor: parse-community
Product: parse-server
Published: Jul 08, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the interna...

Vendor: parse-community
Product: parse-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-56669 HIGH - 7.5

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of uniqu...

Vendor: elysiajs
Product: elysia
Published: Jul 08, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allo...

Vendor: parse-community
Product: parse-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-55596 HIGH - 8.7

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a ...

Vendor: udecode
Product: plate
Published: Jul 08, 2026
Source: NVD