Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,270
Quick preset (or use dates below)
Clear Filters
Showing 321 - 340 of 143,232 CVEs
CVE-2026-59806 HIGH - 7.4

Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Attackers can cr...

Vendor: gradio-app
Product: gradio
Published: Jul 08, 2026
Source: NVD
CVE-2026-59805 MEDIUM - 6.5

Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke_access and undo_revoke_access actions without seller ownership ...

Vendor: antiwork
Product: gumroad
Published: Jul 08, 2026
Source: NVD
CVE-2026-59804 MEDIUM - 6.8

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, which ...

Vendor: web-infra-dev
Product: midscene
Published: Jul 08, 2026
Source: NVD
CVE-2026-59803 HIGH - 7.5

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size...

Vendor: smallnest
Product: rpcx
Published: Jul 08, 2026
Source: NVD
CVE-2026-59802 HIGH - 8.2

PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and cre...

Vendor: PasswordPusher
Product: PasswordPusher
Published: Jul 08, 2026
Source: NVD
CVE-2026-58501 MEDIUM - 5.9

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed...

Vendor: mvantellingen
Product: python-zeep
Published: Jul 08, 2026
Source: NVD

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode opera...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58253 HIGH - 8.8

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthent...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58252 MEDIUM - 6.5

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58251 MEDIUM - 6.5

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluatio...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58250 HIGH - 7.5

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sendin...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58214 MEDIUM - 4.3

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an authenticated MQTT client could subscribe to the internal $MQTT.deliver.pubrel subject family, bypassing configured subscribe permissions and exposing MQTT QoS2 protocol ...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58213 HIGH - 7.1

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting ...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD

Rejected reason: Further research determined the issue is not a vulnerability based on CNA Rule 4.1.12 The act of updating Product dependencies MUST NOT be determined to be a Vulnerability, regardless of whether the dependencies have Vulnerabilities.

Published: Jul 08, 2026
Source: NVD
CVE-2026-58210 HIGH - 7.5

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, an unauthenticated MQTT client could cause the server to retain large incomplete MQTT CONNECT packets before authentication completed, consuming server memory while the pars...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58209 MEDIUM - 4.3

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delive...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.27.1, the pop array filter at src/filters/array.ts allocated a full clone of its input array via [...toArray(v)] without calling this.context.memoryLimit.use(...), allowing a template render such as {{ hu...

Vendor: harttle
Product: liquidjs
Published: Jul 08, 2026
Source: NVD
CVE-2026-55404 HIGH - 7.5

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allo...

Vendor: yt-dlp
Product: yt-dlp
Published: Jul 08, 2026
Source: NVD
CVE-2026-36028 MEDIUM - 6.8

A protection mechanism failure in the Code 27 Companion Hub allows an attacker with physical access to completely bypass kiosk restrictions via a factory reset

Published: Jul 08, 2026
Source: NVD
CVE-2026-36027 MEDIUM - 6.8

An issue in Code27 Companion Hub SQ3A.220705.003.A1 allows a physically proximate attacker to execute arbitrary code via the USB debugging (ADB) and Android Debug Bridge components

Published: Jul 08, 2026
Source: NVD