Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,261
Quick preset (or use dates below)
Clear Filters
Showing 401 - 420 of 143,232 CVEs

BBOT's `github_workflows` module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve `..`, so a crafted `CODE_REPOSITORY` URL could traverse out of the intended folder. The write is bounded to two directory levels a...

Vendor: Black Lantern Security
Product: BBOT
Published: Jul 08, 2026
Source: NVD

BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted d...

Vendor: Black Lantern Security
Product: BBOT
Published: Jul 08, 2026
Source: NVD
CVE-2026-59703 HIGH - 7.5

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file:// scheme...

Vendor: repomix
Product: repomix
Published: Jul 08, 2026
Source: NVD
CVE-2026-55874 HIGH - 7.7

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side cop...

Vendor: seaweedfs
Product: seaweedfs
Published: Jul 08, 2026
Source: NVD
CVE-2026-55873 MEDIUM - 4.3

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privile...

Vendor: seaweedfs
Product: seaweedfs
Published: Jul 08, 2026
Source: NVD
CVE-2026-55668 MEDIUM - 6.3

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled...

Vendor: filebrowser
Product: filebrowser
Published: Jul 08, 2026
Source: NVD
CVE-2026-54652 HIGH - 8.1

Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and ena...

Vendor: blakeblackshear
Product: frigate
Published: Jul 08, 2026
Source: NVD
CVE-2026-49147 HIGH - 7.5

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _sa...

Vendor: PETDANCE
Product: App::Ack
Published: Jul 08, 2026
Source: NVD
CVE-2026-49146 HIGH - 7.5

App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack si...

Vendor: PETDANCE
Product: App::Ack
Published: Jul 08, 2026
Source: NVD
CVE-2026-49145 HIGH - 7.5

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-...

Vendor: PETDANCE
Product: App::Ack
Published: Jul 08, 2026
Source: NVD
CVE-2026-24700 HIGH - 7.2

An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticat...

Published: Jul 08, 2026
Source: NVD
CVE-2026-24699 HIGH - 7.2

An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authen...

Published: Jul 08, 2026
Source: NVD
CVE-2026-24698 HIGH - 7.2

An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an a...

Published: Jul 08, 2026
Source: NVD
CVE-2026-24697 HIGH - 7.2

An OS command injection vulnerability exists in the start_bonjour() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The wan_hostname configuration parameter is not properly sanitized, which could allow an authenti...

Published: Jul 08, 2026
Source: NVD
CVE-2026-15067 HIGH - 8.8

Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltratio...

Vendor: Snowflake
Product: Terraform Provider for Snowflake
Published: Jul 08, 2026
Source: NVD
CVE-2026-15062 CRITICAL - 9.6

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database co...

Vendor: Snowflake
Product: Snowpark Python SDK
Published: Jul 08, 2026
Source: NVD
CVE-2026-15044 MEDIUM - 6.3

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the clu...

Vendor: Red Hat
Product: Red Hat OpenShift AI (RHOAI)
Published: Jul 08, 2026
Source: NVD
CVE-2026-15036 MEDIUM - 4.3

A vulnerability was determined in Harness up to 2.28.2. This vulnerability affects the function getAuthorizedSpaces of the file app/api/controller/gitspace/list_all.go of the component gitspaces Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely....

Product: Harness
Published: Jul 08, 2026
Source: NVD
CVE-2026-11903 HIGH - 8.0

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module). This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.

Vendor: Progress
Product: MOVEit Transfer
Published: Jul 08, 2026
Source: NVD
CVE-2026-10708 HIGH - 7.5

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the absen...

Vendor: Adalo No-Code App Builder
Product: App Builder
Published: Jul 08, 2026
Source: NVD