Total CVEs

144,090

Critical Severity

4,134

High Severity

14,909

Last 7 Days

1,572
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 2,621 - 2,640 of 40,495 CVEs
CVE-2026-56149 MEDIUM - 4.9

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the...

Vendor: elastic
Product: elasticsearch
Published: Jul 01, 2026
Source: NVD
CVE-2026-56148 MEDIUM - 6.5

Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable...

Vendor: elastic
Product: elasticsearch
Published: Jul 01, 2026
Source: NVD
CVE-2026-54399 HIGH - 7.5

Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive he...

Vendor: Apache Software Foundation
Product: Apache HttpComponents Core
Published: Jul 01, 2026
Source: NVD
CVE-2026-49088 MEDIUM - 4.4

Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to opera...

Vendor: elastic
Product: kibana
Published: Jul 01, 2026
Source: NVD
CVE-2026-49087 MEDIUM - 6.5

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.

Vendor: elastic
Product: kibana
Published: Jul 01, 2026
Source: NVD
CVE-2026-34117 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\"php jobs/text_to_subtitles.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34116 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe.php (line 15) without sanitization: exec(\"php jobs/transcribe.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticat...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34115 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\"php jobs/transcribe_amazon.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34114 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unaut...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34113 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech_text.php (line 18) without sanitization: exec(\"php jobs/speech_audio_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unaut...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34112 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthen...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34111 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac_text.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. A...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34110 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\"php jobs/complex.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticat...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34109 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech.php (line 18) without sanitization: exec(\"php jobs/speech_audio.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34108 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote at...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34107 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization: exec(\"php jobs/translate.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34106 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\"php jobs/subtitle_rendering.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauth...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34105 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection t...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34104 CRITICAL - 9.8

Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php (line 124): SELECT * FROM complex WHERE name='\".$_GET['name'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD
CVE-2026-34103 CRITICAL - 9.8

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in subtitles.php (line 16): SELECT id, filename, extension, type FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to ext...

Vendor: guardian
Product: language-system
Published: Jul 01, 2026
Source: NVD