Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,623
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 3,521 - 3,540 of 40,623 CVEs
CVE-2026-48285 HIGH - 8.6

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue d...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48283 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48282 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user i...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48281 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48277 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48276 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD

A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service.

Vendor: SUSE
Product: Rancher
Published: Jun 30, 2026
Source: NVD
CVE-2026-13455 MEDIUM - 4.3

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versi...

Vendor: DALIBO
Product: PostgreSQL Anonymizer
Published: Jun 30, 2026
Source: NVD
CVE-2022-31008 MEDIUM - 5.5

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions rel...

Vendor: erlang
Product: rabbit_common
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49451 HIGH - 7.5

The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process ...

Vendor: nuget
Product: Microsoft.OpenAPI
Published: Jun 30, 2026
Source: GitHub

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function...

Published: Jun 30, 2026
Source: NVD
CVE-2026-48192 MEDIUM - 5.4

A vulnerability has been identified in Mendix Studio Pro 10.11 (All versions), Mendix Studio Pro 10.12 (All versions), Mendix Studio Pro 10.13 (All versions), Mendix Studio Pro 10.14 (All versions), Mendix Studio Pro 10.15 (All versions), Mendix Studio Pro 10.16 (All versions), Mendix Studio Pro 10....

Published: Jun 30, 2026
Source: NVD

A Rancher FleetWorkspace admission path allowed side effects to occur in the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to the in-cluster rancher-webhook service could submi...

Vendor: SUSE
Product: Rancher
Published: Jun 30, 2026
Source: NVD

A missing clean-up in the legacy Project Role Template Binding (PRTB) reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security Admission (PSA) permissions after an administrator removes those permissions from a RoleTemplate.

Vendor: SUSE
Product: Rancher
Published: Jun 30, 2026
Source: NVD
CVE-2026-27957 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH use...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27956 MEDIUM - 4.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate ...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27955 MEDIUM - 6.6

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_co...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27883 MEDIUM - 5.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27882 MEDIUM - 4.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27881 MEDIUM - 5.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD