Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,541
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 9,721 - 9,740 of 40,154 CVEs

AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

Vendor: go
Product: github.com/AdguardTeam/AdGuardHome
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48013 MEDIUM - 4.1

Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

Vendor: composer
Product: shopware/core
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48015 MEDIUM - 4.9

Shopware: Stored XSS via SVG file upload โ€” no SVG sanitization

Vendor: composer
Product: shopware/core
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48016 MEDIUM - 4.3

Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

Vendor: composer
Product: shopware/platform
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48014 MEDIUM - 6.5

Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Vendor: composer
Product: shopware/platform
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48012 MEDIUM - 4.3

Shopware SSO referer trust leading to an arbitrary redirect target

Vendor: composer
Product: shopware/core
Published: Jun 04, 2026
Source: GitHub

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

Vendor: composer
Product: shopware/platform
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48010 MEDIUM - 6.5

Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Vendor: composer
Product: shopware/platform
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48009 MEDIUM - 6.8

Shopware: Admin Account Takeover via User Recovery Hash Exposure

Vendor: composer
Product: shopware/platform
Published: Jun 04, 2026
Source: GitHub
CVE-2026-48008 MEDIUM - 6.5

Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

Vendor: composer
Product: shopware/platform
Published: Jun 04, 2026
Source: GitHub

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (...

Vendor: netty
Product: netty-incubator-codec-ohttp
Published: Jun 04, 2026
Source: NVD
CVE-2026-36499 MEDIUM - 6.5

A missing upper-bound check in the udpif_set_threads() function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service (DoS) via resource exhaustion.

Published: Jun 04, 2026
Source: NVD
CVE-2025-71316 CRITICAL - 9.8

SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file argum...

Vendor: SQLite
Product: sqldiff
Published: Jun 04, 2026
Source: NVD
CVE-2025-65640 MEDIUM - 6.3

Cross Site Scripting (XSS) vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaS...

Published: Jun 04, 2026
Source: NVD
CVE-2026-50183 MEDIUM - 4.7

WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

Vendor: composer
Product: WWBN/AVideo
Published: Jun 04, 2026
Source: GitHub
CVE-2026-50182 MEDIUM - 6.1

WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Vendor: composer
Product: WWBN/AVideo
Published: Jun 04, 2026
Source: GitHub

WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)

Vendor: composer
Product: wwbn/avideo
Published: Jun 04, 2026
Source: GitHub

OpenMeter: SQL injection through meter creation

Vendor: go
Product: github.com/openmeterio/openmeter
Published: Jun 04, 2026
Source: GitHub
CVE-2026-50292 HIGH - 7.4

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

Vendor: freedesktop
Product: libinput
Published: Jun 04, 2026
Source: NVD
CVE-2026-48040 CRITICAL - 9.1

The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct ...

Vendor: netty
Product: netty-incubator-codec-ohttp
Published: Jun 04, 2026
Source: NVD