Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,270
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 621 - 640 of 39,637 CVEs
CVE-2026-48952 MEDIUM - 6.1

Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.

Vendor: Joomla! Project
Product: Joomla! CMS
Published: Jul 07, 2026
Source: NVD
CVE-2026-48951 MEDIUM - 6.1

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.

Vendor: Joomla! Project
Product: Joomla! CMS
Published: Jul 07, 2026
Source: NVD
CVE-2026-48950 MEDIUM - 6.1

Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.

Vendor: Joomla! Project
Product: Joomla! CMS
Published: Jul 07, 2026
Source: NVD
CVE-2026-48949 MEDIUM - 6.1

Lack of validation leads to an XSS vulnerability in the MFA management views.

Vendor: Joomla! Project
Product: Joomla! CMS
Published: Jul 07, 2026
Source: NVD
CVE-2026-48948 HIGH - 8.8

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

Vendor: Joomla! Project
Product: Joomla! CMS
Published: Jul 07, 2026
Source: NVD
CVE-2026-48947 MEDIUM - 4.9

An improper access check allows privileged users to overwrite media files without editing permissions.

Vendor: Joomla! Project
Product: Joomla! CMS
Published: Jul 07, 2026
Source: NVD
CVE-2026-57851 HIGH - 7.8

MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privile...

Vendor: Micro-Star International (MSI)
Product: KernCoreLib64.sys
Published: Jul 07, 2026
Source: NVD
CVE-2026-23698 HIGH - 7.2

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents dir...

Vendor: Vtiger
Product: Vtiger CRM
Published: Jul 07, 2026
Source: NVD
CVE-2026-23697 HIGH - 8.8

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar...

Vendor: Vtiger
Product: Vtiger CRM
Published: Jul 07, 2026
Source: NVD
CVE-2026-14904 MEDIUM - 6.5

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated r...

Vendor: AWS
Product: res
Published: Jul 07, 2026
Source: NVD
CVE-2026-13020 HIGH - 8.1

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an em...

Vendor: Esri
Product: Portal for ArcGIS
Published: Jul 07, 2026
Source: NVD
CVE-2026-13019 CRITICAL - 9.8

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

Vendor: Esri
Product: Portal for ArcGIS
Published: Jul 07, 2026
Source: NVD
CVE-2025-12799 MEDIUM - 6.5

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.

Published: Jul 07, 2026
Source: NVD
CVE-2026-56812 HIGH - 7.5

Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is ass...

Vendor: phoenixframework
Product: phoenix
Published: Jul 07, 2026
Source: NVD
CVE-2026-56811 HIGH - 7.5

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll). This v...

Vendor: phoenixframework
Product: phoenix
Published: Jul 07, 2026
Source: NVD
CVE-2026-14969 MEDIUM - 4.4

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.

Vendor: Red Hat
Product: Red Hat Directory Server 11, Red Hat Directory Server 12, Red Hat Directory Server 13, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 07, 2026
Source: NVD

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 07, 2026
Source: NVD
CVE-2026-59709 MEDIUM - 4.3

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remov...

Vendor: Ghostfolio
Product: Ghostfolio
Published: Jul 07, 2026
Source: NVD
CVE-2026-53878 MEDIUM - 6.1

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. D...

Vendor: djangoproject
Product: Django
Published: Jul 07, 2026
Source: NVD
CVE-2026-53877 MEDIUM - 4.8

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer...

Vendor: djangoproject
Product: Django
Published: Jul 07, 2026
Source: NVD