Total CVEs

143,522

Critical Severity

4,074

High Severity

14,702

Last 7 Days

1,397
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 921 - 940 of 39,927 CVEs
CVE-2026-13020 HIGH - 8.1

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an em...

Vendor: Esri
Product: Portal for ArcGIS
Published: Jul 07, 2026
Source: NVD
CVE-2026-13019 CRITICAL - 9.8

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

Vendor: Esri
Product: Portal for ArcGIS
Published: Jul 07, 2026
Source: NVD
CVE-2025-12799 MEDIUM - 6.5

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.

Published: Jul 07, 2026
Source: NVD
CVE-2026-56812 HIGH - 7.5

Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is ass...

Vendor: phoenixframework
Product: phoenix
Published: Jul 07, 2026
Source: NVD
CVE-2026-56811 HIGH - 7.5

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll). This v...

Vendor: phoenixframework
Product: phoenix
Published: Jul 07, 2026
Source: NVD
CVE-2026-14969 MEDIUM - 4.4

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.

Vendor: Red Hat
Product: Red Hat Directory Server 11, Red Hat Directory Server 12, Red Hat Directory Server 13, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 07, 2026
Source: NVD

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 07, 2026
Source: NVD
CVE-2026-59709 MEDIUM - 4.3

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remov...

Vendor: Ghostfolio
Product: Ghostfolio
Published: Jul 07, 2026
Source: NVD
CVE-2026-53878 MEDIUM - 6.1

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. D...

Vendor: djangoproject
Product: Django
Published: Jul 07, 2026
Source: NVD
CVE-2026-53877 MEDIUM - 4.8

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer...

Vendor: djangoproject
Product: Django
Published: Jul 07, 2026
Source: NVD

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earli...

Vendor: djangoproject
Product: Django
Published: Jul 07, 2026
Source: NVD
CVE-2026-14940 MEDIUM - 5.3

A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), the server can write past the end of a heap allocation while sorting RDN attrib...

Vendor: Red Hat
Product: Red Hat Directory Server 11, Red Hat Directory Server 12, Red Hat Directory Server 13, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 07, 2026
Source: NVD

A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the br...

Vendor: Digi International
Product: Digi PortServer TS, Digi One SP, Digi One SP IA, Digi One IA
Published: Jul 07, 2026
Source: NVD
CVE-2026-12352 MEDIUM - 5.9

This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.

Vendor: Digi International
Product: PortServer TS 1/2/4, Digi One SP / SP IA / IA
Published: Jul 07, 2026
Source: NVD
CVE-2026-6101 HIGH - 7.5

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories a...

Published: Jul 07, 2026
Source: NVD
CVE-2026-53479 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an OS command ('OS ...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 07, 2026
Source: NVD
CVE-2026-53483 CRITICAL - 9.8

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 an improper authentication vulnerability. An unauthenticated attacker with remote acces...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 07, 2026
Source: NVD
CVE-2026-53481 CRITICAL - 9.8

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper limitation of a pathname to a restricted directory ('Path Trav...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 07, 2026
Source: NVD
CVE-2026-10659 MEDIUM - 4.7

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara...

Vendor: zephyrproject
Product: zephyr
Published: Jul 07, 2026
Source: NVD
CVE-2026-45016 MEDIUM - 6.5

EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose

Vendor: composer
Product: egroupware/egroupware
Published: Jul 07, 2026
Source: GitHub