Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,276
Quick preset (or use dates below)
Clear Filters
Showing 5,161 - 5,180 of 145,743 CVEs
CVE-2026-10647 MEDIUM - 5.3

The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_FOREVER), blocking on a completion semaphore th...

Vendor: zephyrproject
Product: zephyr
Published: Jun 29, 2026
Source: NVD
CVE-2026-55957 HIGH - 7.3

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 throug...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-55956 MEDIUM - 6.5

Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-55955 MEDIUM - 6.5

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from ...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-55276 CRITICAL - 9.1

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9....

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-53434 CRITICAL - 9.1

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11....

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-53404 HIGH - 7.3

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, fro...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-50229 MEDIUM - 6.1

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, fro...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: Jun 29, 2026
Source: NVD
CVE-2026-41896 HIGH - 7.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-34597 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the Ni...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-34594 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, an authenticated command injection vulnerability in the Destination Network Management functionality allows users with destination management permissions to execute arbitrary ...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends ...

Vendor: MIK
Product: CryptX
Published: Jun 29, 2026
Source: NVD
CVE-2026-57919 HIGH - 7.8

PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trig...

Published: Jun 29, 2026
Source: NVD
CVE-2026-57498 CRITICAL - 9.6

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components acce...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-56018 HIGH - 7.5

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes with...

Vendor: GTERMARS
Product: JavaScript::Minifier::XS
Published: Jun 29, 2026
Source: NVD
CVE-2026-56017 HIGH - 7.5

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal ...

Vendor: GTERMARS
Product: JavaScript::Minifier::XS
Published: Jun 29, 2026
Source: NVD

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_co...

Vendor: leandrocp
Product: mdex
Published: Jun 29, 2026
Source: NVD

Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input. mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_docume...

Vendor: leandrocp
Product: mdex, mdex_native
Published: Jun 29, 2026
Source: NVD

Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion. The native rendering code permanently leaks memory when rendering a documen...

Vendor: leandrocp
Product: mdex, mdex_native
Published: Jun 29, 2026
Source: NVD

Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls ...

Vendor: leandrocp
Product: mdex
Published: Jun 29, 2026
Source: NVD