Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,275
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 381 - 400 of 39,613 CVEs
CVE-2026-55873 MEDIUM - 4.3

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privile...

Vendor: seaweedfs
Product: seaweedfs
Published: Jul 08, 2026
Source: NVD
CVE-2026-55668 MEDIUM - 6.3

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled...

Vendor: filebrowser
Product: filebrowser
Published: Jul 08, 2026
Source: NVD
CVE-2026-54652 HIGH - 8.1

Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and ena...

Vendor: blakeblackshear
Product: frigate
Published: Jul 08, 2026
Source: NVD
CVE-2026-49147 HIGH - 7.5

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _sa...

Vendor: PETDANCE
Product: App::Ack
Published: Jul 08, 2026
Source: NVD
CVE-2026-49146 HIGH - 7.5

App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack si...

Vendor: PETDANCE
Product: App::Ack
Published: Jul 08, 2026
Source: NVD
CVE-2026-49145 HIGH - 7.5

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-...

Vendor: PETDANCE
Product: App::Ack
Published: Jul 08, 2026
Source: NVD
CVE-2026-24700 HIGH - 7.2

An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticat...

Published: Jul 08, 2026
Source: NVD
CVE-2026-24699 HIGH - 7.2

An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authen...

Published: Jul 08, 2026
Source: NVD
CVE-2026-24698 HIGH - 7.2

An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an a...

Published: Jul 08, 2026
Source: NVD
CVE-2026-24697 HIGH - 7.2

An OS command injection vulnerability exists in the start_bonjour() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The wan_hostname configuration parameter is not properly sanitized, which could allow an authenti...

Published: Jul 08, 2026
Source: NVD
CVE-2026-15067 HIGH - 8.8

Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltratio...

Vendor: Snowflake
Product: Terraform Provider for Snowflake
Published: Jul 08, 2026
Source: NVD
CVE-2026-15062 CRITICAL - 9.6

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database co...

Vendor: Snowflake
Product: Snowpark Python SDK
Published: Jul 08, 2026
Source: NVD
CVE-2026-15044 MEDIUM - 6.3

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the clu...

Vendor: Red Hat
Product: Red Hat OpenShift AI (RHOAI)
Published: Jul 08, 2026
Source: NVD
CVE-2026-15036 MEDIUM - 4.3

A vulnerability was determined in Harness up to 2.28.2. This vulnerability affects the function getAuthorizedSpaces of the file app/api/controller/gitspace/list_all.go of the component gitspaces Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely....

Product: Harness
Published: Jul 08, 2026
Source: NVD
CVE-2026-11903 HIGH - 8.0

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module). This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.

Vendor: Progress
Product: MOVEit Transfer
Published: Jul 08, 2026
Source: NVD
CVE-2026-10708 HIGH - 7.5

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absen...

Vendor: Adalo No-Code App Builder
Product: App Builder
Published: Jul 08, 2026
Source: NVD
CVE-2026-10706 HIGH - 7.5

In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing ...

Vendor: Adalo No-Code App Builder
Product: App Builder
Published: Jul 08, 2026
Source: NVD
CVE-2026-10699 HIGH - 7.5

Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.

Vendor: Progress
Product: MOVEit Transfer
Published: Jul 08, 2026
Source: NVD
CVE-2026-10698 HIGH - 7.2

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.

Vendor: Progress
Product: MOVEit Transfer
Published: Jul 08, 2026
Source: NVD

MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricte...

Vendor: misp
Product: misp
Published: Jul 08, 2026
Source: NVD