Total CVEs

145,906

Critical Severity

4,292

High Severity

15,777

Last 7 Days

2,186
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 6,521 - 6,540 of 42,311 CVEs
CVE-2026-50551 CRITICAL - 9.9

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fi...

Vendor: siyuan-note
Product: siyuan
Published: Jun 24, 2026
Source: NVD
CVE-2026-50189 HIGH - 7.2

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the AP...

Vendor: appsmithorg
Product: appsmith
Published: Jun 24, 2026
Source: NVD

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebC...

Vendor: appsmithorg
Product: appsmith
Published: Jun 24, 2026
Source: NVD
CVE-2026-47110 MEDIUM - 6.5

Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function...

Vendor: ueberdosis
Product: tiptap-php
Published: Jun 24, 2026
Source: NVD

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: Jun 24, 2026
Source: NVD
CVE-2026-39897 MEDIUM - 6.1

Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31.

Vendor: Cacti
Product: cacti
Published: Jun 24, 2026
Source: NVD

Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks metric values with is_numeric() and concatenates the...

Vendor: Cacti
Product: cacti
Published: Jun 24, 2026
Source: NVD
CVE-2026-39893 CRITICAL - 9.8

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest use...

Vendor: Cacti
Product: cacti
Published: Jun 24, 2026
Source: NVD
CVE-2026-2050 HIGH - 7.8

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or o...

Vendor: gimp
Product: gimp
Published: Jun 24, 2026
Source: NVD
CVE-2026-10642 MEDIUM - 6.5

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX...

Vendor: zephyrproject
Product: zephyr
Published: Jun 24, 2026
Source: NVD
CVE-2026-10043 HIGH - 7.8

MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a mal...

Vendor: MosaicML
Product: Composer
Published: Jun 24, 2026
Source: NVD
CVE-2025-60468 MEDIUM - 5.5

GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses free...

Vendor: gpac
Product: gpac
Published: Jun 24, 2026
Source: NVD

A potential security vulnerability has been identified in the HP Accessory WMI Provider installer for some HP Docking Stations, which might allow escalation of privilege and/or arbitrary code execution. HP is releasing software updates to mitigate the potential vulnerability.

Published: Jun 24, 2026
Source: NVD
CVE-2026-52795 MEDIUM - 4.3

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead ...

Vendor: gogs
Product: gogs
Published: Jun 24, 2026
Source: NVD
CVE-2026-50129 HIGH - 7.5

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or...

Vendor: mastodon
Product: mastodon
Published: Jun 24, 2026
Source: NVD
CVE-2026-50128 MEDIUM - 5.3

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it...

Vendor: mastodon
Product: mastodon
Published: Jun 24, 2026
Source: NVD
CVE-2026-49278 MEDIUM - 6.7

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth ac...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD
CVE-2026-47733 MEDIUM - 4.4

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkS...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured ...

Vendor: RocketChat
Product: Rocket.Chat
Published: Jun 24, 2026
Source: NVD