Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,630
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 3,481 - 3,500 of 40,623 CVEs

Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49835 MEDIUM - 5.9

Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

Vendor: go
Product: github.com/sigstore/timestamp-authority/v2
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49478 HIGH - 8.7

Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage

Vendor: go
Product: github.com/sigstore/fulcio
Published: Jun 30, 2026
Source: GitHub
CVE-2026-48796 MEDIUM - 5.3

CefSharp.Common: `FolderSchemeHandlerFactory` path boundary check can expose files outside the configured root folder

Vendor: nuget
Product: CefSharp.Common
Published: Jun 30, 2026
Source: GitHub
CVE-2026-48795 HIGH - 8.6

@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754

Vendor: npm
Product: @adonisjs/bodyparser
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49820 MEDIUM - 4.7

Probo has an open redirect bypass via path normalization

Vendor: go
Product: go.probo.inc/probo
Published: Jun 30, 2026
Source: GitHub

Sigstore Java has a vulnerability with bundle verification of integratedTime

Vendor: maven
Product: dev.sigstore:sigstore-java
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49473 HIGH - 8.8

@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation

Vendor: npm
Product: @cedar-policy/authorization-for-expressjs
Published: Jun 30, 2026
Source: GitHub
CVE-2026-9263 MEDIUM - 6.5

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at leas...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD

The HP Fan Control App might allow local escalation of privileges. An updated version of HP Fan Control App has been released to mitigate this potential vulnerability.

Published: Jun 30, 2026
Source: NVD
CVE-2026-58377 HIGH - 8.1

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro au...

Vendor: jeecgboot
Product: JeecgBoot
Published: Jun 30, 2026
Source: NVD
CVE-2026-58376 HIGH - 7.6

Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The a...

Vendor: Dolibarr
Product: dolibarr
Published: Jun 30, 2026
Source: NVD
CVE-2026-58375 HIGH - 7.5

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id with...

Vendor: jeecgboot
Product: jimureport
Published: Jun 30, 2026
Source: NVD
CVE-2026-58373 MEDIUM - 4.3

CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter...

Vendor: cvat-ai
Product: cvat
Published: Jun 30, 2026
Source: NVD
CVE-2026-58372 HIGH - 8.1

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in th...

Vendor: seaweedfs
Product: seaweedfs
Published: Jun 30, 2026
Source: NVD

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON ...

Vendor: seaweedfs
Product: seaweedfs
Published: Jun 30, 2026
Source: NVD
CVE-2026-58370 HIGH - 8.1

Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) carried in the webhook payload, which is attacker-controlled and not verified by GitLab. A use...

Vendor: woodpecker-ci
Product: woodpecker
Published: Jun 30, 2026
Source: NVD
CVE-2026-58369 MEDIUM - 5.3

Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User ...

Vendor: woodpecker-ci
Product: woodpecker
Published: Jun 30, 2026
Source: NVD
CVE-2026-58176 MEDIUM - 6.5

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authenti...

Vendor: dromara
Product: RuoYi-Vue-Plus
Published: Jun 30, 2026
Source: NVD
CVE-2026-58174 MEDIUM - 6.5

Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as ...

Vendor: nesquena
Product: hermes-webui
Published: Jun 30, 2026
Source: NVD