Total CVEs

144,278

Critical Severity

4,164

High Severity

14,985

Last 7 Days

1,626
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 3,781 - 3,800 of 40,683 CVEs
CVE-2026-57942 MEDIUM - 5.3

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacke...

Vendor: LibreTranslate
Product: LibreTranslate
Published: Jun 29, 2026
Source: NVD
CVE-2026-56783 MEDIUM - 6.5

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privi...

Vendor: parseablehq
Product: parseable
Published: Jun 29, 2026
Source: NVD
CVE-2026-56782 CRITICAL - 9.8

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database...

Vendor: gorse-io
Product: gorse
Published: Jun 29, 2026
Source: NVD
CVE-2026-56781 MEDIUM - 5.3

Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share m...

Vendor: teableio
Product: teable
Published: Jun 29, 2026
Source: NVD
CVE-2026-56780 HIGH - 7.5

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

Vendor: modoboa
Product: modoboa
Published: Jun 29, 2026
Source: NVD
CVE-2026-56285 HIGH - 8.6

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, includin...

Vendor: zedeus
Product: nitter
Published: Jun 29, 2026
Source: NVD
CVE-2026-36848 HIGH - 7.5

Gigamon GVOS v5.16.1 and below is vulnerable to Directory Traversal in the GVOS H-VUE subsystem.

Vendor: gigamon
Product: gigavue-os
Published: Jun 29, 2026
Source: NVD
CVE-2026-13592 HIGH - 7.3

A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4. Affected by this issue is the function BufWriter::append of the component EtherNet IP Message Handler. Performing a manipulation results in out-of-bounds write. Remote exploitation of the attack is pos...

Vendor: liftoff-sr
Product: CIPster
Published: Jun 29, 2026
Source: NVD
CVE-2026-11720 CRITICAL - 9.1

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the i...

Vendor: Google
Product: MCP Toolbox for Databases (googleapis/mcp-toolbox)
Published: Jun 29, 2026
Source: NVD

OpenAM OAuth Authorization Bypass via PKCE Challenge

Vendor: maven
Product: org.openidentityplatform.openam:openam-oauth2
Published: Jun 29, 2026
Source: GitHub

OpenAM OAuth Client Impersonation via JWKS Resolver Cache

Vendor: maven
Product: org.openidentityplatform.openam:openam-oauth2
Published: Jun 29, 2026
Source: GitHub

OpenAM Authenticated RCE via Groovy Sandbox Escape

Vendor: maven
Product: org.openidentityplatform.openam:openam-scripting
Published: Jun 29, 2026
Source: GitHub
CVE-2026-13752 HIGH - 8.0

Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable command paths, causing Snowflake CLI to execute unintended SQL in the context of the user’s Snowflake session. Succ...

Vendor: snowflake
Product: snowflake_cli
Published: Jun 29, 2026
Source: NVD
CVE-2026-13751 CRITICAL - 9.6

Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination....

Vendor: snowflake
Product: snowflake_cli
Published: Jun 29, 2026
Source: NVD
CVE-2026-13591 MEDIUM - 5.0

A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A h...

Vendor: DeepMyst
Product: Mysti
Published: Jun 29, 2026
Source: NVD
CVE-2026-13590 MEDIUM - 5.6

A security flaw has been discovered in seladb PcapPlusPlus 25.05. This impacts the function pcpp::ModbusLayer::getLength in the library Packet++/header/ModbusLayer.h of the component Modbus Protocol Handler. The manipulation of the argument length results in heap-based buffer overflow. The attack ca...

Vendor: seladb
Product: PcapPlusPlus
Published: Jun 29, 2026
Source: NVD
CVE-2026-13589 MEDIUM - 5.6

A vulnerability was identified in seladb PcapPlusPlus 25.05. This affects the function pcpp::TelnetLayer::getSubCommand of the file Packet++/src/TelnetLayer.cpp of the component Telnet Subnegotiation Packet Handler. The manipulation leads to heap-based buffer overflow. The attack can be initiated re...

Vendor: seladb
Product: PcapPlusPlus
Published: Jun 29, 2026
Source: NVD
CVE-2026-13588 MEDIUM - 5.6

A vulnerability was determined in seladb PcapPlusPlus 25.05. The impacted element is the function pcpp::SSLClientHelloMessage::getHandshakeVersion of the file Packet++/src/SSLHandshake.cpp of the component TLS Hello Handler. Executing a manipulation of the argument handshakeVersion can lead to heap-...

Vendor: seladb
Product: PcapPlusPlus
Published: Jun 29, 2026
Source: NVD
CVE-2026-12912 HIGH - 7.3

A flaw was found in libtiff. A remote attacker could exploit this vulnerability by providing a specially crafted PixarLog-compressed TIFF image. This issue occurs when decoding Pixarlog codec images with the PIXARLOGDATAFMT_8BITABGR output format and a specific stride value, leading to a heap-based ...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat Hardened Images
Published: Jun 29, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Jun 29, 2026
Source: NVD