Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,632
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 3,461 - 3,480 of 40,623 CVEs
CVE-2026-11806 HIGH - 7.2

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

Vendor: IBM
Product: WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-11714 HIGH - 8.5

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.

Vendor: IBM
Product: WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-11712 CRITICAL - 9.3

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-11708 CRITICAL - 9.3

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-11595 MEDIUM - 4.3

IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-11546 HIGH - 7.1

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.

Vendor: IBM
Product: WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-10564 HIGH - 8.2

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker ca...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10560 HIGH - 8.2

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10546 HIGH - 7.1

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding.

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10140 CRITICAL - 9.6

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leadin...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10134 CRITICAL - 10.0

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally mo...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10129 HIGH - 8.5

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10109 CRITICAL - 9.8

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.

Vendor: IBM
Product: Db2
Published: Jun 30, 2026
Source: NVD
CVE-2025-36372 MEDIUM - 5.5

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables.

Vendor: IBM
Product: Db2
Published: Jun 30, 2026
Source: NVD
CVE-2026-58138 CRITICAL - 9.8

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to au...

Vendor: conductor-oss
Product: conductor
Published: Jun 30, 2026
Source: NVD
CVE-2026-10513 HIGH - 7.2

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties ...

Vendor: pfefferle
Product: Webmention
Published: Jun 30, 2026
Source: NVD
CVE-2026-55219 MEDIUM - 5.3

Paymenter has race condition in payWithCredit() that enables credit double-spend

Vendor: composer
Product: paymenter/paymenter
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub