Total CVEs

145,906

Critical Severity

4,292

High Severity

15,777

Last 7 Days

2,186
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 6,501 - 6,520 of 42,311 CVEs
CVE-2026-9776 HIGH - 7.5

ATEN Unizon writeFileToHttpServletResponse Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ATEN Unizon. Authentication is not required to exploit this vulnerability. The specific flaw...

Vendor: aten
Product: unizon
Published: Jun 24, 2026
Source: NVD
CVE-2026-9775 MEDIUM - 5.5

ATEN Unizon uploadSSL Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the uploadSSL met...

Vendor: aten
Product: unizon
Published: Jun 24, 2026
Source: NVD
CVE-2026-9774 MEDIUM - 5.5

ATEN Unizon updateLicense Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateLic...

Vendor: aten
Product: unizon
Published: Jun 24, 2026
Source: NVD
CVE-2026-9773 HIGH - 8.8

Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within ToggleState.php. T...

Vendor: unraid
Product: unraid
Published: Jun 24, 2026
Source: NVD
CVE-2026-9772 HIGH - 8.8

Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within FileUpload.php. The...

Vendor: unraid
Product: unraid
Published: Jun 24, 2026
Source: NVD
CVE-2026-55762 HIGH - 8.1

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user β€” inc...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD
CVE-2026-55759 HIGH - 7.4

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regar...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an emai...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD
CVE-2026-55570 CRITICAL - 9.0

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is prod...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-55455 CRITICAL - 9.1

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loo...

Vendor: appsmithorg
Product: appsmith
Published: Jun 24, 2026
Source: NVD
CVE-2026-55454 CRITICAL - 9.9

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API β€” which has no authentication by default β€” is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-c...

Vendor: appsmithorg
Product: appsmith
Published: Jun 24, 2026
Source: NVD

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-54158 CRITICAL - 9.9

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, url, phone, and mAsset. A cell value like </textarea><img src=x onerror="..."> ...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-54070 HIGH - 7.1

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only att...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default em...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-54068 MEDIUM - 5.9

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "δΈιœ€θ¦ι‰΄ζƒ" -- no auth needed). When called with type=8 and a valid block id parameter, thi...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-54067 CRITICAL - 9.9

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing </style> breaks out of its surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-54066 HIGH - 7.5

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP end...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-53766 MEDIUM - 6.1

Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resol...

Vendor: ChromeDevTools
Product: chrome-devtools-mcp
Published: Jun 24, 2026
Source: NVD
CVE-2026-52794 HIGH - 7.5

Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume dispropo...

Vendor: getsentry
Product: sentry
Published: Jun 24, 2026
Source: NVD