Total CVEs

137,241

Critical Severity

3,307

High Severity

12,254

Last 7 Days

1,434
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 3,501 - 3,520 of 33,646 CVEs
CVE-2026-42318

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User...

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42317

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-3276

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Published: Jun 03, 2026
Source: NVD
CVE-2026-37462 HIGH - 7.3

An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36748 CRITICAL - 9.0

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36576 CRITICAL - 9.8

An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36574 HIGH - 7.8

A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.

Published: Jun 03, 2026
Source: NVD
CVE-2022-31114 MEDIUM

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phish...

Vendor: Laravel-Backpack
Product: CRUD
Published: Jun 03, 2026
Source: NVD
CVE-2026-8404 LOW - 3.1

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache...

Vendor: djangoproject
Product: django
Published: Jun 03, 2026
Source: NVD
CVE-2026-7666 LOW - 3.1

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read...

Vendor: djangoproject
Product: django
Published: Jun 03, 2026
Source: NVD
CVE-2026-6873 LOW - 3.1

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one w...

Vendor: djangoproject
Product: django
Published: Jun 03, 2026
Source: NVD
CVE-2026-5241 HIGH - 8.0

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, i...

Vendor: huggingface
Product: transformers
Published: Jun 03, 2026
Source: NVD
CVE-2026-48587 LOW - 3.1

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs w...

Vendor: djangoproject
Product: Django
Published: Jun 03, 2026
Source: NVD
CVE-2026-47325

ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This b...

Vendor: ProjectsAndPrograms
Product: school-management-system
Published: Jun 03, 2026
Source: NVD
CVE-2026-47324

ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users’ browsers. C...

Vendor: ProjectsAndPrograms
Product: school-management-system
Published: Jun 03, 2026
Source: NVD
CVE-2026-44546 LOW - 3.7

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines()...

Vendor: djangoproject
Product: daphne
Published: Jun 03, 2026
Source: NVD
CVE-2026-44545 MEDIUM - 5.3

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory cons...

Vendor: djangoproject
Product: daphne
Published: Jun 03, 2026
Source: NVD
CVE-2026-37460 HIGH - 7.5

Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Published: Jun 03, 2026
Source: NVD
CVE-2026-35193 LOW - 3.1

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read priva...

Vendor: djangoproject
Product: Django
Published: Jun 03, 2026
Source: NVD
CVE-2026-10729

An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue aff...

Vendor: Thinkst Applied Research
Product: Canarytokens
Published: Jun 03, 2026
Source: NVD