Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,859
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 5,161 - 5,180 of 37,697 CVEs
CVE-2026-46489 HIGH - 8.1

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every ...

Vendor: SolidInvoice
Product: SolidInvoice
Published: Jun 11, 2026
Source: NVD

Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security controls or cryptographic validations. Under specific circumstances, this could allow the attacker to ...

Vendor: CyberArk Software, a Palo Alto Networks Company
Product: Idira Endpoint Privilege Manager
Published: Jun 11, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Jun 11, 2026
Source: NVD
CVE-2026-53702 MEDIUM - 6.5

A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the r...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jun 11, 2026
Source: NVD
CVE-2026-53701 MEDIUM - 6.5

An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bou...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jun 11, 2026
Source: NVD
CVE-2026-52860 HIGH - 7.8

Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter...

Vendor: vim
Product: vim
Published: Jun 11, 2026
Source: NVD
CVE-2026-52859 HIGH - 8.2

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stoppi...

Vendor: vim
Product: vim
Published: Jun 11, 2026
Source: NVD
CVE-2026-52858 HIGH - 7.8

Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found...

Vendor: vim
Product: vim
Published: Jun 11, 2026
Source: NVD
CVE-2026-48547 HIGH - 7.3

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() cal...

Vendor: lingdojo
Product: kana-dojo
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim gu...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A mo...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a vali...

Vendor: PenguinMod
Product: PenguinMod-BackendApi
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to ...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see,...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can st...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy t...

Vendor: duck-organization
Product: duck-site
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason in...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out t...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mas...

Vendor: duck-organization
Product: quest-bot
Published: Jun 11, 2026
Source: NVD
CVE-2026-47170 HIGH - 7.7

Garlic-Hub manages digital signage network โ€” devices, content, and playlists โ€” from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This allows internal port scanning,...

Vendor: garlic-signage
Product: garlic-hub
Published: Jun 11, 2026
Source: NVD