Total CVEs

144,202

Critical Severity

4,148

High Severity

14,963

Last 7 Days

1,649
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 2,681 - 2,700 of 40,607 CVEs
CVE-2026-50195 CRITICAL - 9.9

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods ...

Vendor: linuxfoundation
Product: containerd
Published: Jul 01, 2026
Source: NVD
CVE-2026-50160 CRITICAL - 10.0

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extra p...

Vendor: hoppscotch
Product: hoppscotch
Published: Jul 01, 2026
Source: NVD
CVE-2026-49119 HIGH - 7.5

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can prov...

Vendor: gradio_project
Product: gradio
Published: Jul 01, 2026
Source: NVD
CVE-2026-47262 MEDIUM - 5.5

containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an O...

Vendor: linuxfoundation
Product: containerd
Published: Jul 01, 2026
Source: NVD
CVE-2026-41121 HIGH - 7.3

Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution Before File Access ('Link Following’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Vendor: Dell
Product: Device Management Agent
Published: Jul 01, 2026
Source: NVD
CVE-2026-38142 MEDIUM - 6.5

An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.

Published: Jul 01, 2026
Source: NVD

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS). This issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - Charts Extension
Published: Jul 01, 2026
Source: NVD
CVE-2026-13769 MEDIUM - 5.5

Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the same host to read credentials written by certain CLI subcomman...

Vendor: AWS
Product: AWS CLI
Published: Jul 01, 2026
Source: NVD
CVE-2026-13760 HIGH - 7.3

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injecte...

Vendor: AWS
Product: AWS CDK
Published: Jul 01, 2026
Source: NVD

repomix: attach_packed_output can bypass file-read secret scanning for supported local files

Vendor: npm
Product: repomix
Published: Jul 01, 2026
Source: GitHub

Concourse login flow has an open redirect issue

Vendor: go
Product: github.com/concourse/concourse
Published: Jul 01, 2026
Source: GitHub
CVE-2026-49987 HIGH - 8.8

repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

Vendor: npm
Product: repomix
Published: Jul 01, 2026
Source: GitHub

Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`

Vendor: composer
Product: twig/twig
Published: Jul 01, 2026
Source: GitHub

Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`

Vendor: pip
Product: neuro-cortex-memory
Published: Jul 01, 2026
Source: GitHub

wetty vulnerable to DOM XSS via file-download filename

Vendor: npm
Product: wetty
Published: Jul 01, 2026
Source: GitHub
CVE-2026-5051 MEDIUM - 4.4

HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

Published: Jul 01, 2026
Source: NVD
CVE-2026-58521 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - Cargo Extension
Published: Jul 01, 2026
Source: NVD

URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing. This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.

Vendor: The Wikimedia Foundation
Product: Mediawiki - UrlShortener Extension
Published: Jul 01, 2026
Source: NVD
CVE-2026-57737 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16.

Vendor: Averta LTD
Product: Shortcodes and extra features for Phlox theme
Published: Jul 01, 2026
Source: NVD
CVE-2026-57736 HIGH - 7.4

Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data. This issue affects HubSpot: from n/a through 11.3.51.

Vendor: HubSpot
Product: HubSpot
Published: Jul 01, 2026
Source: NVD