Total CVEs

144,269

Critical Severity

4,162

High Severity

14,979

Last 7 Days

1,670
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 3,561 - 3,580 of 40,674 CVEs
CVE-2026-10655 MEDIUM - 6.5

The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with the socket-service poll thread. The socket service ...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD

A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISCONNECTING, DISC sent, RTX timer armed) and the con...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD
CVE-2026-10653 MEDIUM - 6.4

The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count)...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD
CVE-2026-10652 MEDIUM - 4.8

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD
CVE-2026-47198 HIGH - 8.5

Paymenter has URL parameter injection that bypasses paid plan limits at checkout

Vendor: composer
Product: paymenter/paymenter
Published: Jun 30, 2026
Source: GitHub
CVE-2023-46118 MEDIUM - 4.9

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API a...

Vendor: erlang
Product: rabbit_common
Published: Jun 30, 2026
Source: GitHub
CVE-2026-48315 CRITICAL - 9.3

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining e...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48314 MEDIUM - 6.5

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write acces...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48313 CRITICAL - 9.3

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sen...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48307 HIGH - 8.8

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. Exploi...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48286 CRITICAL - 10.0

Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: Adobe
Product: Adobe Campaign Classic (ACC)
Published: Jun 30, 2026
Source: NVD
CVE-2026-48285 HIGH - 8.6

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue d...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48283 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48282 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user i...

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48281 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48277 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD
CVE-2026-48276 CRITICAL - 10.0

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Vendor: adobe
Product: coldfusion
Published: Jun 30, 2026
Source: NVD

A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service.

Vendor: SUSE
Product: Rancher
Published: Jun 30, 2026
Source: NVD
CVE-2026-13455 MEDIUM - 4.3

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versi...

Vendor: DALIBO
Product: PostgreSQL Anonymizer
Published: Jun 30, 2026
Source: NVD
CVE-2022-31008 MEDIUM - 5.5

RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions rel...

Vendor: erlang
Product: rabbit_common
Published: Jun 30, 2026
Source: GitHub