Total CVEs

144,202

Critical Severity

4,148

High Severity

14,963

Last 7 Days

1,665
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,621 - 2,640 of 40,607 CVEs
CVE-2026-54262 MEDIUM - 4.3

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed ...

Vendor: torchbox
Product: wagtail
Published: Jul 01, 2026
Source: NVD
CVE-2026-54261 MEDIUM - 6.5

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not expose...

Vendor: torchbox
Product: wagtail
Published: Jul 01, 2026
Source: NVD

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not explo...

Vendor: torchbox
Product: wagtail
Published: Jul 01, 2026
Source: NVD
CVE-2026-54259 MEDIUM - 4.3

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could ...

Vendor: torchbox
Product: wagtail
Published: Jul 01, 2026
Source: NVD
CVE-2026-52190 HIGH - 7.5

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_448384 component

Published: Jul 01, 2026
Source: NVD
CVE-2026-52186 CRITICAL - 9.8

SQL Injection vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to execute arbitrary code via the gohead/sub_463bbc component

Published: Jul 01, 2026
Source: NVD
CVE-2026-38891 HIGH - 7.5

An improper input validation in the gazebo_ros_diff_drive.cpp component of gazebo_plugins v3.9.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted geometry_msgs::Twist message.

Published: Jul 01, 2026
Source: NVD
CVE-2026-36912 HIGH - 7.5

A NULL pointer dereference in the AP4_AtomSampleTable::GetSample() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: Jul 01, 2026
Source: NVD
CVE-2026-36911 MEDIUM - 5.5

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: Jul 01, 2026
Source: NVD
CVE-2026-36910 MEDIUM - 5.5

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: Jul 01, 2026
Source: NVD
CVE-2026-36909 MEDIUM - 6.2

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: Jul 01, 2026
Source: NVD
CVE-2026-50143 HIGH - 8.1

Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token

Vendor: npm
Product: @apify/actors-mcp-server
Published: Jul 01, 2026
Source: GitHub
CVE-2026-50139 MEDIUM - 5.9

goshs: Share-link ?token=โ€ฆ redemption races past download limit

Vendor: go
Product: goshs.de/goshs/v2
Published: Jul 01, 2026
Source: GitHub
CVE-2026-50138 HIGH - 8.1

goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

Vendor: go
Product: goshs.de/goshs/v2
Published: Jul 01, 2026
Source: GitHub

OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms

Vendor: maven
Product: com.ongres.scram:scram-client
Published: Jul 01, 2026
Source: GitHub
CVE-2026-50163 HIGH - 7.1

`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution

Vendor: go
Product: oras.land/oras-go/v2
Published: Jul 01, 2026
Source: GitHub

oras-go has file store write outside workingDir via symlink traversal

Vendor: go
Product: oras.land/oras-go/v2
Published: Jul 01, 2026
Source: GitHub
CVE-2026-50151 HIGH - 7.5

oras-go blob upload vulnerable to credential forwarding via unvalidated Location header

Vendor: go
Product: oras.land/oras-go/v2
Published: Jul 01, 2026
Source: GitHub
CVE-2026-58263 HIGH - 7.2

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-inter...

Vendor: xdan
Product: jodit
Published: Jul 01, 2026
Source: NVD
CVE-2026-55153 HIGH - 7.1

mchange-commons-java is a Java library of shared utility classes used by mchange projects like the c3p0 connection pool. Prior to version 0.6.0, its JNDI ObjectFactory implementation (com.mchange.v2.naming.JavaBeanObjectFactory) will construct objects of arbitrary classes and initialize "JavaBe...

Vendor: swaldman
Product: mchange-commons-java
Published: Jul 01, 2026
Source: NVD