Total CVEs

144,202

Critical Severity

4,148

High Severity

14,963

Last 7 Days

1,660
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,641 - 2,660 of 40,607 CVEs
CVE-2026-54786 MEDIUM - 5.0

Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the f...

Vendor: bytecodealliance
Product: wasmtime
Published: Jul 01, 2026
Source: NVD

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) โ€” and the internal ConfigMerge / ConfigProto helpers โ€” merged user-supplied options into the editor configuration without filtering prototype-m...

Vendor: xdan
Product: jodit
Published: Jul 01, 2026
Source: NVD
CVE-2026-54720 MEDIUM - 5.4

Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In versions prior to 6.2.2, the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2/

Vendor: silverstripe
Product: silverstripe-framework
Published: Jul 01, 2026
Source: NVD
CVE-2026-50521 HIGH - 8.3

Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: edge_chromium
Published: Jul 01, 2026
Source: NVD
CVE-2026-14340 MEDIUM - 5.0

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization ...

Vendor: GitHub
Product: Enterprise Server
Published: Jul 01, 2026
Source: NVD

oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens

Vendor: go
Product: oras.land/oras-go/v2
Published: Jul 01, 2026
Source: GitHub
CVE-2026-48824 MEDIUM - 5.3

Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)

Vendor: go
Product: github.com/axllent/mailpit
Published: Jul 01, 2026
Source: GitHub
CVE-2026-48819 MEDIUM - 4.8

@hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key

Vendor: npm
Product: @hey-api/openapi-ts
Published: Jul 01, 2026
Source: GitHub
CVE-2026-44935 CRITICAL - 9.9

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-44936 MEDIUM - 5.0

Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials (BasicAuth) to any URL specified in the he...

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-44937 HIGH - 7.5

Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the system...

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-44938 HIGH - 8.8

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) when applying them to the target namespace. An attacker with git push access to a Fleet-mon...

Vendor: go
Product: github.com/rancher/fleet
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49457 CRITICAL - 9.1

QUIC has Broken TLS verification

Vendor: erlang
Product: quic
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49998 HIGH - 8.2

Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass

Vendor: go
Product: github.com/centrifugal/centrifugo/v6
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49997 MEDIUM - 5.4

SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted

Vendor: rust
Product: surrealdb
Published: Jul 01, 2026
Source: GitHub
CVE-2026-58593 HIGH - 7.5

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo i...

Vendor: nodebb
Product: nodebb
Published: Jul 01, 2026
Source: NVD
CVE-2026-58592 HIGH - 8.3

Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose hos...

Vendor: LadybirdBrowser
Product: Ladybird
Published: Jul 01, 2026
Source: NVD
CVE-2026-58457 CRITICAL - 9.8

Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers...

Vendor: Shenzhen Aitemi E Commerce Co. Ltd.
Product: M300 Wi-Fi Repeater
Published: Jul 01, 2026
Source: NVD
CVE-2026-55688 MEDIUM - 4.0

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without ver...

Vendor: AsyncHttpClient
Product: async-http-client
Published: Jul 01, 2026
Source: NVD

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Versions prior to 3.1.4 are vulnerable to Remote Denial of Service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message. This issue has been fixed in version 3.1.4.

Vendor: pion
Product: dtls
Published: Jul 01, 2026
Source: NVD