Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,278
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 41 - 60 of 39,486 CVEs
CVE-2026-47829 HIGH - 8.3

Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to local command execution on the operator's workstation. Affec...

Vendor: CloudFoundry Foundation
Product: bosh-cli
Published: Jul 09, 2026
Source: NVD
CVE-2026-47828 HIGH - 7.1

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network att...

Vendor: BOSH-Ecosystem / BOSH (bosh-cli)
Product: bosh-cli
Published: Jul 09, 2026
Source: NVD
CVE-2026-47826 HIGH - 8.8

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4.

Vendor: CloudFoundry Foundation
Product: BOSH CLI tool
Published: Jul 09, 2026
Source: NVD

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request int...

Vendor: Unknown
Product: Fediverse Embeds
Published: Jul 09, 2026
Source: NVD

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the...

Vendor: Unknown
Product: Fediverse Embeds
Published: Jul 09, 2026
Source: NVD

The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or chan...

Vendor: Unknown
Product: Everest Forms
Published: Jul 09, 2026
Source: NVD

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner (identified by email address) to read, reply to, and close that person's support tickets.

Vendor: Unknown
Product: WP Support Plus Responsive Ticket System
Published: Jul 09, 2026
Source: NVD

The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, pho...

Vendor: Unknown
Product: WP DSGVO Tools (GDPR)
Published: Jul 09, 2026
Source: NVD

The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via pred...

Vendor: Unknown
Product: Everest Forms
Published: Jul 09, 2026
Source: NVD
CVE-2026-5523 HIGH - 8.8

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific ...

Published: Jul 09, 2026
Source: NVD
CVE-2026-41857 HIGH - 7.8

A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags. Affected versions: BOSH CLI versions prior to 7.10.5.

Vendor: CloudFoundry BOSH
Product: BOSH CLI
Published: Jul 09, 2026
Source: NVD
CVE-2026-15138 MEDIUM - 6.3

A security vulnerability has been detected in tumf mcp-text-editor up to 1.0.2. This issue affects the function _validate_file_path of the file mcp_text_editor/text_editor.py. Such manipulation of the argument file_path leads to path traversal. The attack can be launched remotely. The exploit has be...

Vendor: tumf
Product: mcp-text-editor
Published: Jul 09, 2026
Source: NVD
CVE-2026-47646 CRITICAL - 9.3

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.

Published: Jul 09, 2026
Source: NVD
CVE-2026-15137 HIGH - 7.3

A weakness has been identified in code-projects Interview Management System 1.0. This vulnerability affects unknown code of the file \inc\classes\View.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the publ...

Vendor: code-projects
Product: Interview Management System
Published: Jul 09, 2026
Source: NVD
CVE-2026-15135 HIGH - 7.3

A security flaw has been discovered in code-projects Online Food Order System 1.0. This affects an unknown part of the file /edit_food_items.php. The manipulation of the argument update results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the publi...

Vendor: code-projects
Product: Online Food Order System
Published: Jul 09, 2026
Source: NVD
CVE-2026-15134 HIGH - 7.3

A vulnerability was determined in CodeAstro Simple Online Leave Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /SimpleOnlineLeave/index.php. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remot...

Vendor: CodeAstro
Product: Simple Online Leave Management System
Published: Jul 09, 2026
Source: NVD
CVE-2026-59723 HIGH - 8.8

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOM_SECRET is unset for local...

Vendor: cline
Product: cline
Published: Jul 08, 2026
Source: NVD
CVE-2026-54499 HIGH - 7.5

Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_o...

Vendor: stanfordnlp
Product: stanza
Published: Jul 08, 2026
Source: NVD

Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: Google
Product: Chrome
Published: Jul 08, 2026
Source: NVD

Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: Google
Product: Chrome
Published: Jul 08, 2026
Source: NVD