Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,826
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 4,441 - 4,460 of 41,119 CVEs
CVE-2025-59868 MEDIUM - 5.5

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application.

Vendor: HCLSoftware
Product: Traveler for Microsoft Outlook
Published: Jun 27, 2026
Source: NVD
CVE-2023-37524 HIGH - 7.7

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Β Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerabl...

Vendor: HCLSoftware
Product: Traveler for Microsoft Outlook
Published: Jun 27, 2026
Source: NVD
CVE-2026-56414 HIGH - 7.2

A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or malforme...

Vendor: H.VIEW
Product: HV-500S6 IP Camera
Published: Jun 26, 2026
Source: NVD
CVE-2026-55975 HIGH - 7.2

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a backend certificate creation command without proper input validation. This may allow for command ex...

Vendor: H.VIEW
Product: HV-500S6 IP Camera
Published: Jun 26, 2026
Source: NVD
CVE-2026-33560 HIGH - 7.1

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts...

Vendor: Daktronics
Product: VFC-DMP-5000, DMP-5000, DMP-8000
Published: Jun 26, 2026
Source: NVD
CVE-2026-31928 HIGH - 8.1

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.

Vendor: Daktronics
Product: VFC-DMP-5000, DMP-5000, DMP-8000
Published: Jun 26, 2026
Source: NVD
CVE-2026-28701 CRITICAL - 9.8

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Vendor: Daktronics
Product: VFC-DMP-5000, DMP-5000, DMP-8000
Published: Jun 26, 2026
Source: NVD

Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors

Vendor: composer
Product: statamic/cms
Published: Jun 26, 2026
Source: GitHub
CVE-2026-54243 MEDIUM - 6.1

Statamic Vulnerable to CSV formula injection in form submission exports

Vendor: composer
Product: statamic/cms
Published: Jun 26, 2026
Source: GitHub
CVE-2026-54242 MEDIUM - 4.9

Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)

Vendor: composer
Product: statamic/cms
Published: Jun 26, 2026
Source: GitHub
CVE-2026-50029 MEDIUM - 5.3

js-toml has silent type confusion via falsy-primitive duplicate-key bypass

Vendor: npm
Product: js-toml
Published: Jun 26, 2026
Source: GitHub
CVE-2026-49349 MEDIUM - 6.8

regclient may leak authentication credentials to external blob stores

Vendor: go
Product: github.com/regclient/regclient
Published: Jun 26, 2026
Source: GitHub
CVE-2026-55069 HIGH - 8.7

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computat...

Vendor: kestra-io
Product: kestra
Published: Jun 26, 2026
Source: NVD
CVE-2026-53577 MEDIUM - 6.5

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execu...

Vendor: kestra-io
Product: kestra
Published: Jun 26, 2026
Source: NVD
CVE-2026-53576 CRITICAL - 10.0

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. ke...

Vendor: kestra-io
Product: kestra
Published: Jun 26, 2026
Source: NVD
CVE-2026-50767 MEDIUM - 5.4

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)...

Vendor: koha
Product: koha
Published: Jun 26, 2026
Source: NVD
CVE-2026-50766 MEDIUM - 5.4

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

Vendor: koha
Product: koha
Published: Jun 26, 2026
Source: NVD
CVE-2026-50765 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display...

Vendor: koha
Product: koha
Published: Jun 26, 2026
Source: NVD
CVE-2026-49984 HIGH - 7.7

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past th...

Vendor: kestra-io
Product: kestra
Published: Jun 26, 2026
Source: NVD
CVE-2026-49869 CRITICAL - 10.0

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact...

Vendor: kestra-io
Product: kestra
Published: Jun 26, 2026
Source: NVD