Total CVEs

137,266

Critical Severity

3,307

High Severity

12,261

Last 7 Days

1,368
Quick preset (or use dates below)
Clear Filters
Showing 461 - 480 of 12,261 CVEs
CVE-2026-8589 HIGH - 7.3

GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper san...

Vendor: gitlab
Product: gitlab
Published: Jun 11, 2026
Source: NVD
CVE-2026-7250 HIGH - 7.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsin...

Vendor: gitlab
Product: gitlab
Published: Jun 11, 2026
Source: NVD
CVE-2026-6552 HIGH - 8.7

GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improp...

Vendor: gitlab
Product: gitlab
Published: Jun 11, 2026
Source: NVD
CVE-2026-10087 HIGH - 8.7

GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a target...

Vendor: GitLab
Product: GitLab
Published: Jun 11, 2026
Source: NVD
CVE-2026-5497 HIGH - 7.5

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to extract individual J...

Vendor: vllm
Product: vllm
Published: Jun 11, 2026
Source: NVD
CVE-2023-33999 HIGH - 7.1

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.

Vendor: WPVibes
Product: WP Mail Log
Published: Jun 11, 2026
Source: NVD
CVE-2026-41856 HIGH - 7.5

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at...

Vendor: Spring
Product: Spring for GraphQL
Published: Jun 11, 2026
Source: NVD
CVE-2026-41700 HIGH - 8.1

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. A...

Vendor: Spring
Product: Spring for GraphQL
Published: Jun 11, 2026
Source: NVD
CVE-2026-41699 HIGH - 8.1

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific...

Vendor: Spring
Product: Spring for GraphQL
Published: Jun 11, 2026
Source: NVD
CVE-2026-40999 HIGH - 8.6

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected...

Vendor: Spring
Product: Spring Web Services
Published: Jun 11, 2026
Source: NVD
CVE-2026-40998 HIGH - 8.2

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against unt...

Vendor: Spring
Product: Spring Web Services
Published: Jun 11, 2026
Source: NVD
CVE-2026-40994 HIGH - 8.2

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level chec...

Vendor: Spring
Product: Spring Web Services
Published: Jun 11, 2026
Source: NVD
CVE-2026-40987 HIGH - 7.1

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6...

Vendor: Spring
Product: Spring Integration
Published: Jun 11, 2026
Source: NVD
CVE-2026-10795 HIGH - 8.1

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message for...

Vendor: davidanderson
Product: UpdraftPlus: WP Backup & Migration Plugin
Published: Jun 11, 2026
Source: NVD
CVE-2026-53461 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-2...

Vendor: ImageMagick
Product: ImageMagick
Published: Jun 10, 2026
Source: NVD
CVE-2026-53460 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and ...

Vendor: ImageMagick
Product: ImageMagick
Published: Jun 10, 2026
Source: NVD
CVE-2026-52726 HIGH - 7.5

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafte...

Vendor: jelmer
Product: dulwich
Published: Jun 10, 2026
Source: NVD
CVE-2026-50223 HIGH - 8.8

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: ...

Vendor: Apache Software Foundation
Product: Apache OFBiz
Published: Jun 10, 2026
Source: NVD
CVE-2026-49218 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in...

Vendor: ImageMagick
Product: ImageMagick
Published: Jun 10, 2026
Source: NVD
CVE-2026-47342 HIGH - 8.8

A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache OFBiz
Published: Jun 10, 2026
Source: NVD