Total CVEs

138,728

Critical Severity

3,597

High Severity

12,893

Last 7 Days

1,758
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 4,981 - 5,000 of 35,133 CVEs
CVE-2025-71314 MEDIUM - 5.5

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Recover from panthor_gpu_flush_caches() failures We have seen a few cases where the whole memory subsystem is blocked and flush operations never complete. When that happens, we want to: - schedule a reset, so we can ...

Vendor: Linux
Product: Linux
Published: Jun 03, 2026
Source: NVD
CVE-2025-71313 MEDIUM - 5.5

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_workqueue() alloc_workqueue() can return NULL on memory allocation failure. Without proper error checking, this may lead to a NULL pointer dereference when queue_work() is later call...

Vendor: Linux
Product: Linux
Published: Jun 03, 2026
Source: NVD
CVE-2019-25720 MEDIUM - 6.5

Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all software versions that allows unauthenticated attackers to reboot the monitor by sending a malformed network packet. Attackers can repeatedly send such malformed packets...

Vendor: Dräger
Product: SC 6002XL, SC6802XL, SC 7000, SC8000, SC90000 XL
Published: Jun 03, 2026
Source: NVD
CVE-2026-6657 MEDIUM - 6.1

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. Thi...

Published: Jun 03, 2026
Source: NVD
CVE-2026-44281

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42321

GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42320

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42318

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User...

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42317

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-3276

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Published: Jun 03, 2026
Source: NVD
CVE-2026-37462 HIGH - 7.3

An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36748 CRITICAL - 9.0

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36576 CRITICAL - 9.8

An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36574 HIGH - 7.8

A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.

Published: Jun 03, 2026
Source: NVD
CVE-2022-31114 MEDIUM

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phish...

Vendor: Laravel-Backpack
Product: CRUD
Published: Jun 03, 2026
Source: NVD
CVE-2026-8404 LOW - 3.1

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache...

Vendor: djangoproject
Product: django
Published: Jun 03, 2026
Source: NVD
CVE-2026-7666 LOW - 3.1

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read...

Vendor: djangoproject
Product: django
Published: Jun 03, 2026
Source: NVD
CVE-2026-6873 LOW - 3.1

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one w...

Vendor: djangoproject
Product: django
Published: Jun 03, 2026
Source: NVD
CVE-2026-5241 HIGH - 8.0

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, i...

Vendor: huggingface
Product: transformers
Published: Jun 03, 2026
Source: NVD
CVE-2026-48587 LOW - 3.1

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs w...

Vendor: djangoproject
Product: Django
Published: Jun 03, 2026
Source: NVD