Total CVEs

145,521

Critical Severity

4,252

High Severity

15,657

Last 7 Days

2,299
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,721 - 4,740 of 41,926 CVEs
CVE-2026-57585 HIGH - 7.5

MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. This is...

Vendor: msgpack
Product: msgpack-python
Published: Jun 30, 2026
Source: NVD
CVE-2026-57204 MEDIUM - 6.5

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.3, a maliciously crafted PDF can cause DoS. An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream wit...

Vendor: py-pdf
Product: pypdf
Published: Jun 30, 2026
Source: NVD
CVE-2026-52868 HIGH - 8.2

An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separation.

Vendor: OFFIS DICOM
Product: DCMTK Toolkit
Published: Jun 30, 2026
Source: NVD
CVE-2026-52196 HIGH - 7.5

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_416f28 component

Published: Jun 30, 2026
Source: NVD
CVE-2026-50254 HIGH - 7.5

An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator restarts it.

Vendor: OFFIS DICOM
Product: DCMTK Toolkit
Published: Jun 30, 2026
Source: NVD
CVE-2026-50003 CRITICAL - 9.8

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.

Vendor: OFFIS DICOM
Product: DCMTK Toolkit
Published: Jun 30, 2026
Source: NVD
CVE-2026-37106 CRITICAL - 9.8

An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is configured for self-registration (a non-default fea...

Published: Jun 30, 2026
Source: NVD
CVE-2026-35505 HIGH - 7.5

An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.

Vendor: OFFIS DICOM
Product: DCMTK Toolkit
Published: Jun 30, 2026
Source: NVD
CVE-2026-11541 HIGH - 7.4

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

Vendor: IBM
Product: WebSphere Application Server, WebSphere Application Server - Liberty
Published: Jun 30, 2026
Source: NVD
CVE-2026-10585 MEDIUM - 5.4

A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStru...

Vendor: GitHub
Product: Enterprise Server
Published: Jun 30, 2026
Source: NVD
CVE-2026-9132 MEDIUM - 6.5

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range an...

Vendor: github
Product: enterprise_server
Published: Jun 30, 2026
Source: NVD
CVE-2026-9106 MEDIUM - 5.5

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directi...

Vendor: github
Product: enterprise_server
Published: Jun 30, 2026
Source: NVD
CVE-2026-44628 HIGH - 7.5

An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.

Vendor: OFFIS DICOM
Product: DCMTK Toolkit
Published: Jun 30, 2026
Source: NVD
CVE-2026-13207 HIGH - 7.5

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefi...

Vendor: Frangoteam
Product: FUXA SCADA/HMI
Published: Jun 30, 2026
Source: NVD
CVE-2026-11594 HIGH - 8.5

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console.

Vendor: IBM
Product: WebSphere Application Server
Published: Jun 30, 2026
Source: NVD

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface.ย  An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web ...

Vendor: TP-Link Systems Inc.
Product: Archer AX20 V2.0
Published: Jun 30, 2026
Source: NVD
CVE-2025-36359 HIGH - 8.1

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.

Vendor: IBM
Product: DevOps Automation, DevOps Loop
Published: Jun 30, 2026
Source: NVD
CVE-2025-36336 MEDIUM - 5.9

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD
CVE-2025-36333 MEDIUM - 4.3

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow.

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD
CVE-2025-36328 MEDIUM - 4.3

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.ย  This information could be used in further attacks against the system.

Vendor: IBM
Product: watsonx.data intelligence
Published: Jun 30, 2026
Source: NVD