Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,319
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 5,021 - 5,040 of 42,148 CVEs

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON ...

Vendor: seaweedfs
Product: seaweedfs
Published: Jun 30, 2026
Source: NVD
CVE-2026-58370 HIGH - 8.1

Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) carried in the webhook payload, which is attacker-controlled and not verified by GitLab. A use...

Vendor: woodpecker-ci
Product: woodpecker
Published: Jun 30, 2026
Source: NVD
CVE-2026-58369 MEDIUM - 5.3

Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User ...

Vendor: woodpecker-ci
Product: woodpecker
Published: Jun 30, 2026
Source: NVD
CVE-2026-58176 MEDIUM - 6.5

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global authenti...

Vendor: dromara
Product: RuoYi-Vue-Plus
Published: Jun 30, 2026
Source: NVD
CVE-2026-58174 MEDIUM - 6.5

Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persisted with a null profile. Because a null profile is treated as ...

Vendor: nesquena
Product: hermes-webui
Published: Jun 30, 2026
Source: NVD
CVE-2026-58173 MEDIUM - 6.5

Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parame...

Vendor: HKUDS
Product: Vibe-Trading
Published: Jun 30, 2026
Source: NVD
CVE-2026-58172 CRITICAL - 9.1

Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs om...

Vendor: ThreeMammals
Product: Ocelot
Published: Jun 30, 2026
Source: NVD
CVE-2026-58171 MEDIUM - 4.2

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run....

Vendor: HKUDS
Product: Vibe-Trading
Published: Jun 30, 2026
Source: NVD
CVE-2026-58170 HIGH - 8.3

Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization (agent/src/live/mandate/commit.py). A proposal identifier containing path traversal sequences causes the application to load an attacker-...

Vendor: HKUDS
Product: Vibe-Trading
Published: Jun 30, 2026
Source: NVD
CVE-2026-58169 HIGH - 7.5

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to 0....

Vendor: HKUDS
Product: Vibe-Trading
Published: Jun 30, 2026
Source: NVD
CVE-2026-58168 HIGH - 8.8

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None instead of a denied result when mcp_tools is omitted from a user's grant in deeptutor/multi_user/t...

Vendor: HKUDS
Product: DeepTutor
Published: Jun 30, 2026
Source: NVD
CVE-2026-58167 MEDIUM - 6.5

Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is regis...

Vendor: ccfos
Product: nightingale
Published: Jun 30, 2026
Source: NVD
CVE-2026-58166 CRITICAL - 9.1

OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing pa...

Vendor: OpenBMB
Product: ChatDev
Published: Jun 30, 2026
Source: NVD
CVE-2026-58165 HIGH - 8.8

OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments for any identity, including the default administrator, because the ApplyCreate funct...

Vendor: openziti
Product: ziti
Published: Jun 30, 2026
Source: NVD
CVE-2026-10655 MEDIUM - 6.5

The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with the socket-service poll thread. The socket service ...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD

A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISCONNECTING, DISC sent, RTX timer armed) and the con...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD
CVE-2026-10653 MEDIUM - 6.4

The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count)...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD
CVE-2026-10652 MEDIUM - 4.8

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT...

Vendor: zephyrproject
Product: zephyr
Published: Jun 30, 2026
Source: NVD
CVE-2026-47198 HIGH - 8.5

Paymenter has URL parameter injection that bypasses paid plan limits at checkout

Vendor: composer
Product: paymenter/paymenter
Published: Jun 30, 2026
Source: GitHub
CVE-2023-46118 MEDIUM - 4.9

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API a...

Vendor: erlang
Product: rabbit_common
Published: Jun 30, 2026
Source: GitHub