Total CVEs

144,730

Critical Severity

4,194

High Severity

15,272

Last 7 Days

1,735
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 3,981 - 4,000 of 41,135 CVEs
CVE-2026-10546 HIGH - 7.1

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding.

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10140 CRITICAL - 9.6

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leadin...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10134 CRITICAL - 10.0

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally mo...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10129 HIGH - 8.5

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying...

Vendor: IBM
Product: Langflow OSS
Published: Jun 30, 2026
Source: NVD
CVE-2026-10109 CRITICAL - 9.8

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.

Vendor: IBM
Product: Db2
Published: Jun 30, 2026
Source: NVD
CVE-2025-36372 MEDIUM - 5.5

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables.

Vendor: IBM
Product: Db2
Published: Jun 30, 2026
Source: NVD
CVE-2026-58138 CRITICAL - 9.8

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to au...

Vendor: conductor-oss
Product: conductor
Published: Jun 30, 2026
Source: NVD
CVE-2026-10513 HIGH - 7.2

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties ...

Vendor: pfefferle
Product: Webmention
Published: Jun 30, 2026
Source: NVD
CVE-2026-55219 MEDIUM - 5.3

Paymenter has race condition in payWithCredit() that enables credit double-spend

Vendor: composer
Product: paymenter/paymenter
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub

Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Vendor: composer
Product: twig/twig
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49835 MEDIUM - 5.9

Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

Vendor: go
Product: github.com/sigstore/timestamp-authority/v2
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49478 HIGH - 8.7

Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage

Vendor: go
Product: github.com/sigstore/fulcio
Published: Jun 30, 2026
Source: GitHub
CVE-2026-48796 MEDIUM - 5.3

CefSharp.Common: `FolderSchemeHandlerFactory` path boundary check can expose files outside the configured root folder

Vendor: nuget
Product: CefSharp.Common
Published: Jun 30, 2026
Source: GitHub
CVE-2026-48795 HIGH - 8.6

@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754

Vendor: npm
Product: @adonisjs/bodyparser
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49820 MEDIUM - 4.7

Probo has an open redirect bypass via path normalization

Vendor: go
Product: go.probo.inc/probo
Published: Jun 30, 2026
Source: GitHub

Sigstore Java has a vulnerability with bundle verification of integratedTime

Vendor: maven
Product: dev.sigstore:sigstore-java
Published: Jun 30, 2026
Source: GitHub
CVE-2026-49473 HIGH - 8.8

@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation

Vendor: npm
Product: @cedar-policy/authorization-for-expressjs
Published: Jun 30, 2026
Source: GitHub