Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,722
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 7,441 - 7,460 of 38,432 CVEs

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and local...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub
CVE-2026-9270 CRITICAL - 9.1

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change...

Vendor: binary
Product: datadog\
Published: Jun 05, 2026
Source: NVD

7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + i...

Vendor: mcmilk
Product: 7-Zip
Published: Jun 05, 2026
Source: NVD
CVE-2026-48101 MEDIUM - 6.5

7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without ze...

Vendor: mcmilk
Product: 7-Zip
Published: Jun 05, 2026
Source: NVD
CVE-2026-11362 CRITICAL - 9.8

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, w...

Vendor: BINARY
Product: DataDog::DogStatsd
Published: Jun 05, 2026
Source: NVD
CVE-2026-11336 MEDIUM - 6.3

A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument User...

Vendor: tittuvarghese
Product: CollegeManagementSystem
Published: Jun 05, 2026
Source: NVD

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission c...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hid...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/โ€ฆ) also sa...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes ...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub
CVE-2026-47375 MEDIUM - 6.0

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula valida...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the ...

Vendor: npm
Product: nocodb
Published: Jun 05, 2026
Source: GitHub
CVE-2026-47261 HIGH - 7.5

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by ...

Vendor: rust
Product: wasmtime-wasi
Published: Jun 05, 2026
Source: GitHub
CVE-2026-47250 MEDIUM - 6.1

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environ...

Vendor: npm
Product: mcp-server-kubernetes
Published: Jun 05, 2026
Source: GitHub
CVE-2026-47249 HIGH - 7.5

Klever-Go KVM: Hash-array amplification in P2P resolver request handling

Vendor: go
Product: github.com/klever-io/klever-go
Published: Jun 05, 2026
Source: GitHub
CVE-2026-45726 HIGH - 7.6

Omni: Reader-level users can retrieve imported cluster CA keys via ResourceService

Vendor: go
Product: github.com/siderolabs/omni
Published: Jun 05, 2026
Source: GitHub

Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic

Vendor: go
Product: github.com/siderolabs/omni
Published: Jun 05, 2026
Source: GitHub
CVE-2026-45720 HIGH - 7.0

Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token

Vendor: go
Product: github.com/siderolabs/omni
Published: Jun 05, 2026
Source: GitHub