Total CVEs

145,459

Critical Severity

4,246

High Severity

15,641

Last 7 Days

2,388
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,881 - 4,900 of 41,864 CVEs
CVE-2026-55276 CRITICAL - 9.1

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9....

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-53434 CRITICAL - 9.1

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11....

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-53404 HIGH - 7.3

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, fro...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-50229 MEDIUM - 6.1

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, fro...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-41896 HIGH - 7.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-34597 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Ni...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-34594 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, an authenticated command injection vulnerability in the Destination Network Management functionality allows users with destination management permissions to execute arbitrary ...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends ...

Vendor: MIK
Product: CryptX
Published: Jun 29, 2026
Source: NVD
CVE-2026-57919 HIGH - 7.8

PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trig...

Published: Jun 29, 2026
Source: NVD
CVE-2026-57498 CRITICAL - 9.6

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components acce...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-56018 HIGH - 7.5

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes with...

Vendor: GTERMARS
Product: JavaScript::Minifier::XS
Published: Jun 29, 2026
Source: NVD
CVE-2026-56017 HIGH - 7.5

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal ...

Vendor: GTERMARS
Product: JavaScript::Minifier::XS
Published: Jun 29, 2026
Source: NVD

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_co...

Vendor: leandrocp
Product: mdex
Published: Jun 29, 2026
Source: NVD

Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input. mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_docume...

Vendor: leandrocp
Product: mdex, mdex_native
Published: Jun 29, 2026
Source: NVD

Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion. The native rendering code permanently leaks memory when rendering a documen...

Vendor: leandrocp
Product: mdex, mdex_native
Published: Jun 29, 2026
Source: NVD

Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls ...

Vendor: leandrocp
Product: mdex
Published: Jun 29, 2026
Source: NVD
CVE-2026-43746 MEDIUM - 6.5

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Vendor: apple
Product: safari
Published: Jun 29, 2026
Source: NVD
CVE-2026-43745 MEDIUM - 6.5

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Vendor: apple
Product: safari
Published: Jun 29, 2026
Source: NVD
CVE-2026-43743 MEDIUM - 4.7

A race condition was addressed with improved state handling. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be able to cause unexpected system termination.

Vendor: apple
Product: ipados
Published: Jun 29, 2026
Source: NVD
CVE-2026-43742 MEDIUM - 6.5

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Vendor: apple
Product: safari
Published: Jun 29, 2026
Source: NVD