Total CVEs

144,730

Critical Severity

4,194

High Severity

15,272

Last 7 Days

1,735
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 3,961 - 3,980 of 41,135 CVEs
CVE-2026-7871 CRITICAL - 9.8

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-7803 CRITICAL - 9.8

IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-7663 CRITICAL - 9.1

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Vendor: langflow
Product: langflow
Published: Jun 30, 2026
Source: NVD
CVE-2026-3602 MEDIUM - 4.7

IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.

Vendor: ibm
Product: app_connect_enterprise
Published: Jun 30, 2026
Source: NVD
CVE-2026-13773 MEDIUM - 6.0

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, turning any unfiltered ObjectInputStream sink in WAS into out...

Vendor: IBM
Product: WebSphere Extreme Scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-13772 HIGH - 7.5

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticate...

Vendor: IBM
Product: WebSphere Extreme Scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-13759 HIGH - 7.5

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 ships three ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) that install no JEP-290 class filter; when Coherence is on the classpath, multiple RCE gadget chains including RemoteCon...

Vendor: IBM
Product: WebSphere Extreme Scale
Published: Jun 30, 2026
Source: NVD
CVE-2026-13449 HIGH - 7.6

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Vendor: IBM
Product: Business Automation Manager Open Editions
Published: Jun 30, 2026
Source: NVD
CVE-2026-12086 MEDIUM - 6.2

IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user.

Vendor: IBM
Product: UCD - IBM UrbanCode Deploy, UCD - IBM DevOps Deploy
Published: Jun 30, 2026
Source: NVD
CVE-2026-12085 MEDIUM - 6.5

IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks a...

Vendor: IBM
Product: UCD - IBM UrbanCode Deploy, UCD - IBM DevOps Deploy
Published: Jun 30, 2026
Source: NVD
CVE-2026-12084 MEDIUM - 5.4

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

Vendor: IBM
Product: UCD - IBM DevOps Deploy
Published: Jun 30, 2026
Source: NVD
CVE-2026-11906 MEDIUM - 6.5

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.

Vendor: IBM
Product: Db2
Published: Jun 30, 2026
Source: NVD
CVE-2026-11806 HIGH - 7.2

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.

Vendor: IBM
Product: WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-11714 HIGH - 8.5

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.

Vendor: IBM
Product: WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-11712 CRITICAL - 9.3

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-11708 CRITICAL - 9.3

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-11595 MEDIUM - 4.3

IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-11546 HIGH - 7.1

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.

Vendor: IBM
Product: WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-10564 HIGH - 8.2

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker ca...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10560 HIGH - 8.2

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD