Total CVEs

143,377

Critical Severity

4,061

High Severity

14,648

Last 7 Days

1,387
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 701 - 720 of 39,782 CVEs
CVE-2026-51937 HIGH - 7.5

An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component

Published: Jul 07, 2026
Source: NVD
CVE-2026-50811 MEDIUM - 6.5

An out-of-bounds read vulnerability exists in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates

Published: Jul 07, 2026
Source: NVD
CVE-2026-50810 MEDIUM - 5.5

A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service

Published: Jul 07, 2026
Source: NVD
CVE-2026-37271 CRITICAL - 9.8

Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby d...

Published: Jul 07, 2026
Source: NVD
CVE-2026-37270 CRITICAL - 9.8

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Published: Jul 07, 2026
Source: NVD
CVE-2026-36163 MEDIUM - 5.4

An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.

Published: Jul 07, 2026
Source: NVD
CVE-2026-36162 MEDIUM - 5.4

An authenticated stored cross-site scripting (XSS) vulnerability in the Upload File Shares API of LiquidFiles v4.2.7 allows attackers to execute arbitrary Javascript or HTML via injecting a crafted payload into the Name parameter.

Published: Jul 07, 2026
Source: NVD
CVE-2026-14895 HIGH - 7.5

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex e...

Vendor: BAKERSCOT
Product: String::Util
Published: Jul 07, 2026
Source: NVD
CVE-2026-14740 CRITICAL - 9.1

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte....

Vendor: HMBRAND
Product: DBI
Published: Jul 07, 2026
Source: NVD
CVE-2026-14739 CRITICAL - 9.8

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders.

Vendor: HMBRAND
Product: DBI
Published: Jul 07, 2026
Source: NVD
CVE-2026-14380 HIGH - 8.8

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package...

Vendor: HMBRAND
Product: DBI
Published: Jul 07, 2026
Source: NVD
CVE-2026-59706 CRITICAL - 9.3

mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can retrieve stored secrets like OpenAI API keys via GET /api/v1/config/ or trigger SSRF attacks...

Vendor: mem0
Product: mem0
Published: Jul 07, 2026
Source: NVD

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requ...

Vendor: ankitects
Product: anki
Published: Jul 07, 2026
Source: NVD
CVE-2026-58266 MEDIUM - 6.5

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and edi...

Vendor: ankitects
Product: anki
Published: Jul 07, 2026
Source: NVD
CVE-2026-55490 MEDIUM - 6.5

OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending a single crafted UDP packet. The message length underflows b...

Vendor: openwrt
Product: openwrt
Published: Jul 07, 2026
Source: NVD
CVE-2026-55418 HIGH - 8.6

FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object k...

Vendor: labring
Product: FastGPT
Published: Jul 07, 2026
Source: NVD

Koodo Reader is an ebook reader. In version 2.3.0 and earlier, Koodo Reader is vulnerable to remote code execution through malicious EPUB files because the open-book IPC handler enables nodeIntegrationInSubFrames and EPUB chapter content is rendered with unsanitized innerHTML. An attacker can craft ...

Vendor: koodo-reader
Product: koodo-reader
Published: Jul 07, 2026
Source: NVD

Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. W...

Vendor: hasura
Product: graphql-engine
Published: Jul 07, 2026
Source: NVD
CVE-2026-54607 HIGH - 7.7

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs without FastGPT's internal-address guard and returns f...

Vendor: labring
Product: FastGPT
Published: Jul 07, 2026
Source: NVD

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunk...

Vendor: labring
Product: FastGPT
Published: Jul 07, 2026
Source: NVD