Total CVEs

140,339

Critical Severity

3,747

High Severity

13,518

Last 7 Days

1,778
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21 - 40 of 36,744 CVEs
CVE-2026-13482 LOW - 3.7

A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high c...

Vendor: skypilot-org
Product: skypilot
Published: Jun 28, 2026
Source: NVD
CVE-2026-10646 HIGH - 7.4

Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberate...

Vendor: zephyrproject
Product: zephyr
Published: Jun 28, 2026
Source: NVD
CVE-2026-10644 MEDIUM - 4.2

The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (len == 1) and CONFIG_UART_MCHP_ASYNC is enabled, the...

Vendor: zephyrproject
Product: zephyr
Published: Jun 28, 2026
Source: NVD
CVE-2026-10593 MEDIUM - 6.5

The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields (interval, framing, phy, sdu, rtn, latency, pd) t...

Vendor: zephyrproject
Product: zephyr
Published: Jun 28, 2026
Source: NVD
CVE-2026-58058 MEDIUM - 6.5

Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a cra...

Vendor: Nmap
Product: Nmap
Published: Jun 28, 2026
Source: NVD
CVE-2026-58057 MEDIUM - 5.0

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'node_options' bypasses the NODE_OPTIONS denylist entry. An authenticated user who can configur...

Vendor: Flowise
Product: Flowise
Published: Jun 28, 2026
Source: NVD
CVE-2026-58056 HIGH - 7.6

RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded sc...

Vendor: RustDesk
Product: RustDesk
Published: Jun 28, 2026
Source: NVD
CVE-2026-58055 MEDIUM - 5.4

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ...

Vendor: nghttp2
Product: nghttp2
Published: Jun 28, 2026
Source: NVD
CVE-2026-58054 HIGH - 7.2

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-man...

Vendor: MyBB
Product: MyBB
Published: Jun 28, 2026
Source: NVD
CVE-2026-58053 CRITICAL - 9.9

Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --s...

Vendor: Gitea
Product: act_runner
Published: Jun 28, 2026
Source: NVD
CVE-2026-58052 LOW - 3.3

7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA...

Vendor: 7-Zip
Product: 7-Zip
Published: Jun 28, 2026
Source: NVD
CVE-2026-58051 MEDIUM - 6.5

libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey...

Vendor: libssh2
Product: libssh2
Published: Jun 28, 2026
Source: NVD
CVE-2026-58050 HIGH - 7.0

libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicio...

Vendor: libssh2
Product: libssh2
Published: Jun 28, 2026
Source: NVD
CVE-2026-58049 HIGH - 8.6

FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation...

Vendor: FFmpeg
Product: FFmpeg
Published: Jun 28, 2026
Source: NVD
CVE-2026-8095 HIGH - 8.1

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PA...

Published: Jun 28, 2026
Source: NVD
CVE-2026-10643 HIGH - 8.7

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cms...

Vendor: zephyrproject
Product: zephyr
Published: Jun 28, 2026
Source: NVD
CVE-2026-49416

The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. An ...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49414

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49417

Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system wit...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49413

The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables....

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD