Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,831
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,401 - 4,420 of 41,119 CVEs
CVE-2026-58057 MEDIUM - 5.0

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'node_options' bypasses the NODE_OPTIONS denylist entry. An authenticated user who can configur...

Vendor: Flowise
Product: Flowise
Published: Jun 28, 2026
Source: NVD
CVE-2026-58056 HIGH - 7.6

RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded sc...

Vendor: RustDesk
Product: RustDesk
Published: Jun 28, 2026
Source: NVD
CVE-2026-58055 MEDIUM - 5.4

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ...

Vendor: nghttp2
Product: nghttp2
Published: Jun 28, 2026
Source: NVD
CVE-2026-58054 HIGH - 7.2

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-man...

Vendor: MyBB
Product: MyBB
Published: Jun 28, 2026
Source: NVD
CVE-2026-58053 CRITICAL - 9.9

Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --s...

Vendor: Gitea
Product: act_runner
Published: Jun 28, 2026
Source: NVD

7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA...

Vendor: 7-Zip
Product: 7-Zip
Published: Jun 28, 2026
Source: NVD
CVE-2026-58051 MEDIUM - 6.5

libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey...

Vendor: libssh2
Product: libssh2
Published: Jun 28, 2026
Source: NVD
CVE-2026-58050 HIGH - 7.0

libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicio...

Vendor: libssh2
Product: libssh2
Published: Jun 28, 2026
Source: NVD
CVE-2026-58049 HIGH - 8.6

FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation...

Vendor: FFmpeg
Product: FFmpeg
Published: Jun 28, 2026
Source: NVD
CVE-2026-8095 HIGH - 8.1

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PA...

Published: Jun 28, 2026
Source: NVD
CVE-2026-10643 HIGH - 8.7

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cms...

Vendor: zephyrproject
Product: zephyr
Published: Jun 28, 2026
Source: NVD
CVE-2026-49416 HIGH - 7.8

The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. An ...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49414 HIGH - 7.8

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49417 HIGH - 7.0

Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system wit...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49413 HIGH - 7.1

The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables....

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-49412 HIGH - 7.8

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. An unprivileged l...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-45259 MEDIUM - 6.5

sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID. A process in capability mode can use sigqueue(2) to se...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-45258 HIGH - 7.8

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted ...

Vendor: FreeBSD
Product: FreeBSD
Published: Jun 27, 2026
Source: NVD
CVE-2026-9242 MEDIUM - 5.3

The RegistrationMagic โ€“ Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler b...

Published: Jun 27, 2026
Source: NVD
CVE-2026-9233 MEDIUM - 4.3

The Quiz and Survey Master (QSM) โ€“ Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authentic...

Published: Jun 27, 2026
Source: NVD