Total CVEs

146,449

Critical Severity

4,294

High Severity

15,812

Last 7 Days

2,648
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 6,201 - 6,220 of 42,854 CVEs

Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy

Vendor: composer
Product: aimeos/pagible
Published: Jun 26, 2026
Source: GitHub
CVE-2026-49258 HIGH - 8.8

Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)

Vendor: go
Product: github.com/juev/nebula-mesh
Published: Jun 26, 2026
Source: GitHub
CVE-2026-52885 MEDIUM - 6.3

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application ...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-52884 HIGH - 7.8

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a tr...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48800 HIGH - 7.8

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:3658) in the feedUserCmds() function and stored in UserCommand._cmd without any validatio...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48778 HIGH - 7.8

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signa...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-48770 MEDIUM - 5.0

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-termi...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-46710 HIGH - 7.8

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without using an absolute path after setting the working directory to the installa...

Vendor: notepad-plus-plus
Product: notepad-plus-plus
Published: Jun 26, 2026
Source: NVD
CVE-2026-46604 HIGH - 7.5

The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

Vendor: golang.org/x/image
Product: golang.org/x/image/tiff
Published: Jun 26, 2026
Source: NVD
CVE-2026-39031 MEDIUM - 5.5

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a sing...

Published: Jun 26, 2026
Source: NVD
CVE-2026-38641 HIGH - 7.5

An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via loading a crafted shared library.

Published: Jun 26, 2026
Source: NVD
CVE-2026-38639 HIGH - 7.5

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

Published: Jun 26, 2026
Source: NVD
CVE-2024-23581 MEDIUM - 6.7

The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.

Vendor: HCLSoftware
Product: Traveler for Microsoft Outlook
Published: Jun 26, 2026
Source: NVD

Flawfinder output manipulation via untrusted filenames and source text

Vendor: pip
Product: flawfinder
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48804 HIGH - 7.5

python-socketio: Binary attachment accumulation can cause denial of service

Vendor: pip
Product: python-socketio
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48802 HIGH - 7.5

python-engineio has unbound thread allocation that can cause denial of service

Vendor: pip
Product: python-engineio
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48809 HIGH - 7.5

python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

Vendor: pip
Product: python-engineio
Published: Jun 26, 2026
Source: GitHub

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.1, LinkifyIt.prototype.match, the package's primary public API, has O(Nยฒ) algorithmic complexity for inputs containing many fuzzy links or emails because the JavaScript-level scan loop re-slices input and re-runs ...

Vendor: npm
Product: linkify-it
Published: Jun 26, 2026
Source: GitHub
CVE-2026-48790 MEDIUM - 5.5

turso-cli persists Turso platform JWT with world-readable (0o644) file permissions

Vendor: go
Product: github.com/tursodatabase/turso-cli
Published: Jun 26, 2026
Source: GitHub
CVE-2026-41262 MEDIUM - 4.3

Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint

Vendor: go
Product: github.com/fleetdm/fleet/v4
Published: Jun 26, 2026
Source: GitHub