Total CVEs

145,906

Critical Severity

4,292

High Severity

15,777

Last 7 Days

2,238
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 5,661 - 5,680 of 42,311 CVEs
CVE-2026-52884 HIGH - 7.8

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a tr...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48800 HIGH - 7.8

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validatio...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48778 HIGH - 7.8

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signa...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48770 MEDIUM - 5.0

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-termi...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-46710 HIGH - 7.8

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installa...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-46604 HIGH - 7.5

The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

Vendor: golang.org/x/image
Product: golang.org/x/image/tiff
Published: Jun 26, 2026
Source: NVD
CVE-2026-39031 MEDIUM - 5.5

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a sing...

Published: Jun 26, 2026
Source: NVD
CVE-2026-38641 HIGH - 7.5

An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via loading a crafted shared library.

Published: Jun 26, 2026
Source: NVD
CVE-2026-38639 HIGH - 7.5

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

Published: Jun 26, 2026
Source: NVD
CVE-2024-23581 MEDIUM - 6.7

The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.

Vendor: HCLSoftware
Product: Traveler for Microsoft Outlook
Published: Jun 26, 2026
Source: NVD

Flawfinder output manipulation via untrusted filenames and source text

Vendor: pip
Product: flawfinder
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48804 HIGH - 7.5

python-socketio: Binary attachment accumulation can cause denial of service

Vendor: pip
Product: python-socketio
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48802 HIGH - 7.5

python-engineio has unbound thread allocation that can cause denial of service

Vendor: pip
Product: python-engineio
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48809 HIGH - 7.5

python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

Vendor: pip
Product: python-engineio
Published: Jun 26, 2026
Source: GitHub

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.1, LinkifyIt.prototype.match, the package's primary public API, has O(Nยฒ) algorithmic complexity for inputs containing many fuzzy links or emails because the JavaScript-level scan loop re-slices input and re-runs ...

Vendor: npm
Product: linkify-it
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48790 MEDIUM - 5.5

turso-cli persists Turso platform JWT with world-readable (0o644) file permissions

Vendor: go
Product: github.com/tursodatabase/turso-cli
Published: Jun 26, 2026
Source: GitHub
CVE-2026-41262 MEDIUM - 4.3

Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint

Vendor: go
Product: github.com/fleetdm/fleet/v4
Published: Jun 26, 2026
Source: GitHub
CVE-2026-55838 MEDIUM - 4.3

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enfo...

Vendor: rustfs
Product: rustfs
Published: Jun 26, 2026
Source: NVD
CVE-2026-55189 HIGH - 7.7

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the...

Vendor: rustfs
Product: rustfs
Published: Jun 26, 2026
Source: NVD
CVE-2026-55188 HIGH - 8.2

RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, RustFS contains an authorization bypass in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets only checks whether request credentials exist, b...

Vendor: rustfs
Product: rustfs
Published: Jun 26, 2026
Source: NVD