Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,826
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,461 - 4,480 of 41,119 CVEs
CVE-2026-45807 HIGH - 7.7

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only i...

Vendor: kestra-io
Product: kestra
Published: Jun 26, 2026
Source: NVD
CVE-2026-38571 MEDIUM - 4.6

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbi...

Published: Jun 26, 2026
Source: NVD
CVE-2026-36908 MEDIUM - 5.5

A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: Jun 26, 2026
Source: NVD
CVE-2026-36907 MEDIUM - 5.5

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: Jun 26, 2026
Source: NVD
CVE-2026-36478 HIGH - 7.5

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Published: Jun 26, 2026
Source: NVD

Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy

Vendor: composer
Product: aimeos/pagible
Published: Jun 26, 2026
Source: GitHub
CVE-2026-49258 HIGH - 8.8

Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)

Vendor: go
Product: github.com/juev/nebula-mesh
Published: Jun 26, 2026
Source: GitHub
CVE-2026-52885 MEDIUM - 6.3

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application ...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-52884 HIGH - 7.8

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a tr...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48800 HIGH - 7.8

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validatio...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48778 HIGH - 7.8

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signa...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48770 MEDIUM - 5.0

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-termi...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-46710 HIGH - 7.8

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installa...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-46604 HIGH - 7.5

The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

Vendor: golang.org/x/image
Product: golang.org/x/image/tiff
Published: Jun 26, 2026
Source: NVD
CVE-2026-39031 MEDIUM - 5.5

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a sing...

Published: Jun 26, 2026
Source: NVD
CVE-2026-38641 HIGH - 7.5

An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via loading a crafted shared library.

Published: Jun 26, 2026
Source: NVD
CVE-2026-38639 HIGH - 7.5

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

Published: Jun 26, 2026
Source: NVD
CVE-2024-23581 MEDIUM - 6.7

The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.

Vendor: HCLSoftware
Product: Traveler for Microsoft Outlook
Published: Jun 26, 2026
Source: NVD

Flawfinder output manipulation via untrusted filenames and source text

Vendor: pip
Product: flawfinder
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48804 HIGH - 7.5

python-socketio: Binary attachment accumulation can cause denial of service

Vendor: pip
Product: python-socketio
Published: Jun 26, 2026
Source: GitHub