Total CVEs

144,294

Critical Severity

4,165

High Severity

14,995

Last 7 Days

1,607
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 3,861 - 3,880 of 40,699 CVEs
CVE-2026-56457 MEDIUM - 4.3

HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.

Vendor: HCLSoftware
Product: HCL DevOps Deploy / HCL Launch
Published: Jun 29, 2026
Source: NVD
CVE-2026-54371 HIGH - 7.1

attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can r...

Vendor: attr project
Product: attr
Published: Jun 29, 2026
Source: NVD
CVE-2026-54370 MEDIUM - 6.3

acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(...

Vendor: acl project
Product: acl
Published: Jun 29, 2026
Source: NVD
CVE-2026-54369 HIGH - 7.1

acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attac...

Vendor: acl project
Product: acl
Published: Jun 29, 2026
Source: NVD
CVE-2026-40524 HIGH - 8.1

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing...

Vendor: FrontAccounting
Product: FrontAccounting
Published: Jun 29, 2026
Source: NVD
CVE-2026-40523 HIGH - 8.1

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit ti...

Vendor: FrontAccounting
Product: FrontAccounting
Published: Jun 29, 2026
Source: NVD
CVE-2026-40522 HIGH - 7.1

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the u...

Vendor: FrontAccounting
Product: FrontAccounting
Published: Jun 29, 2026
Source: NVD
CVE-2026-40521 HIGH - 8.8

FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell....

Vendor: FrontAccounting
Product: FrontAccounting
Published: Jun 29, 2026
Source: NVD
CVE-2026-13676 HIGH - 7.5

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still retu...

Vendor: fast-uri
Product: fast-uri
Published: Jun 29, 2026
Source: NVD

A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/users_handler.php of the component User Registration Endpoint. Performing a manipulation of the argument full_name results in cross site scripting. The attack is possible ...

Vendor: SourceCodester
Product: Inventory Management System
Published: Jun 29, 2026
Source: NVD
CVE-2026-13569 MEDIUM - 4.7

A security vulnerability has been detected in weng-xianhu EyouCMS up to 1.7.1. This issue affects some unknown processing of the file /index.php of the component API. Such manipulation of the argument click_like leads to sql injection. The attack can be executed remotely. The exploit has been disclo...

Vendor: weng-xianhu
Product: EyouCMS
Published: Jun 29, 2026
Source: NVD
CVE-2026-13568 HIGH - 7.3

A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of the...

Vendor: SourceCodester
Product: Inventory Management System
Published: Jun 29, 2026
Source: NVD
CVE-2026-13567 MEDIUM - 4.3

A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be launch...

Vendor: code-projects
Product: Online Music Site
Published: Jun 29, 2026
Source: NVD
CVE-2026-13566 HIGH - 7.3

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /preview3.php. The manipulation of the argument course_year_section leads to sql injection. The attack may be initiated remotely. The exploit is pu...

Vendor: SourceCodester
Product: Class and Exam Timetabling System
Published: Jun 29, 2026
Source: NVD
CVE-2026-13565 HIGH - 7.3

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /edit_class1.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The explo...

Vendor: SourceCodester
Product: Class and Exam Timetabling System
Published: Jun 29, 2026
Source: NVD

SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).Β An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB a...

Vendor: Krajowa Izba Rozliczeniowa
Product: SzafirHost
Published: Jun 29, 2026
Source: NVD
CVE-2026-12856 HIGH - 8.8

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc h...

Vendor: Red Hat
Product: Red Hat OpenShift Dev Spaces
Published: Jun 29, 2026
Source: NVD

The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format ("%(asctime)s - %(name)s - %(levelname)s - %(message)s&q...

Vendor: Eclipse Foundation
Product: Eclipse CSI - PIA
Published: Jun 29, 2026
Source: NVD
CVE-2026-11979 HIGH - 7.8

libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow interna...

Vendor: xmlsoft
Product: libxml2
Published: Jun 29, 2026
Source: NVD
CVE-2026-41992 HIGH - 7.5

GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression rout...

Vendor: GNU
Product: gzip
Published: Jun 29, 2026
Source: NVD