Total CVEs

137,266

Critical Severity

3,307

High Severity

12,261

Last 7 Days

1,325
Quick preset (or use dates below)
Clear Filters
Showing 561 - 580 of 12,261 CVEs
CVE-2026-53674 HIGH - 7.1

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mention...

Vendor: BuddyPress
Product: BuddyPress
Published: Jun 10, 2026
Source: NVD
CVE-2026-53673 HIGH - 8.1

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_per...

Vendor: BuddyPress
Product: BuddyPress
Published: Jun 10, 2026
Source: NVD
CVE-2026-46541 HIGH - 7.5

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT ...

Vendor: nimiq
Product: core-rs-albatross
Published: Jun 10, 2026
Source: NVD
CVE-2026-46518 HIGH - 7.7

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a clinician&...

Vendor: openemr
Product: openemr
Published: Jun 10, 2026
Source: NVD
CVE-2026-41732 HIGH - 8.1

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-l...

Vendor: Spring
Product: Spring for Apache Pulsar
Published: Jun 10, 2026
Source: NVD
CVE-2026-41731 HIGH - 8.1

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafte...

Vendor: Spring
Product: Spring for Apache Kafka
Published: Jun 10, 2026
Source: NVD
CVE-2026-41729 HIGH - 8.1

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expres...

Vendor: Spring
Product: Spring Data REST
Published: Jun 10, 2026
Source: NVD
CVE-2026-41728 HIGH - 7.5

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5...

Vendor: Spring
Product: Spring Data REST
Published: Jun 10, 2026
Source: NVD
CVE-2026-41717 HIGH - 8.1

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 th...

Vendor: Spring
Product: Spring Data MongoDB
Published: Jun 10, 2026
Source: NVD
CVE-2026-41716 HIGH - 7.5

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.1...

Vendor: Spring
Product: Spring Data Commons
Published: Jun 10, 2026
Source: NVD
CVE-2026-41695 HIGH - 7.5

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3...

Vendor: Spring
Product: Spring Data Commons
Published: Jun 10, 2026
Source: NVD
CVE-2026-41003 HIGH - 7.6

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0...

Vendor: Spring
Product: Spring Security
Published: Jun 10, 2026
Source: NVD
CVE-2026-40993 HIGH - 7.3

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials an...

Vendor: Spring
Product: Spring Security
Published: Jun 10, 2026
Source: NVD
CVE-2026-40988 HIGH - 7.5

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5....

Vendor: Spring
Product: Spring Security
Published: Jun 10, 2026
Source: NVD
CVE-2026-9753 HIGH - 8.1

The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.

Published: Jun 09, 2026
Source: NVD
CVE-2026-9742 HIGH - 7.5

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in ...

Published: Jun 09, 2026
Source: NVD
CVE-2026-9740 HIGH - 7.5

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation funct...

Vendor: mongodb
Product: mongodb
Published: Jun 09, 2026
Source: NVD
CVE-2026-34713 HIGH - 7.5

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue ...

Vendor: Adobe
Product: CAI Content Credentials
Published: Jun 09, 2026
Source: NVD
CVE-2026-34712 HIGH - 7.5

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user inte...

Vendor: Adobe
Product: CAI Content Credentials
Published: Jun 09, 2026
Source: NVD
CVE-2026-34711 HIGH - 7.5

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user...

Vendor: Adobe
Product: CAI Content Credentials
Published: Jun 09, 2026
Source: NVD