Total CVEs

143,656

Critical Severity

4,086

High Severity

14,732

Last 7 Days

1,531
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 961 - 980 of 40,061 CVEs
CVE-2026-60002 HIGH - 7.7

ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-60001 MEDIUM - 6.5

sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD

sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59999 MEDIUM - 5.9

In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59998 MEDIUM - 4.8

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59997 MEDIUM - 4.2

internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59996 MEDIUM - 4.2

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59995 MEDIUM - 4.2

sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-56843 CRITICAL - 9.9

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results i...

Vendor: Webpros
Product: Plesk
Published: Jul 08, 2026
Source: NVD

oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)

Vendor: go
Product: github.com/oasdiff/oasdiff
Published: Jul 07, 2026
Source: GitHub
CVE-2026-53572 MEDIUM - 5.9

KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping

Vendor: go
Product: github.com/kedacore/keda/v2
Published: Jul 07, 2026
Source: GitHub
CVE-2026-53553 HIGH - 7.7

Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise

Vendor: go
Product: github.com/zhenorzz/goploy
Published: Jul 07, 2026
Source: GitHub
CVE-2026-53552 CRITICAL - 9.6

Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers

Vendor: go
Product: github.com/zhenorzz/goploy
Published: Jul 07, 2026
Source: GitHub

aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address

Vendor: pip
Product: aiosmtplib
Published: Jul 07, 2026
Source: GitHub
CVE-2026-53487 MEDIUM - 4.3

Kite has an authenticated cluster RBAC bypass in /api/v1/overview

Vendor: go
Product: github.com/zxh326/kite
Published: Jul 07, 2026
Source: GitHub

ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)

Vendor: rust
Product: ratex-parser
Published: Jul 07, 2026
Source: GitHub

ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice)

Vendor: rust
Product: ratex-parser
Published: Jul 07, 2026
Source: GitHub
CVE-2026-59705 CRITICAL - 9.8

mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or d...

Vendor: mem0
Product: mem0
Published: Jul 07, 2026
Source: NVD
CVE-2026-59704 HIGH - 7.1

Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generat...

Vendor: Cap
Product: Cap
Published: Jul 07, 2026
Source: NVD
CVE-2026-51937 HIGH - 7.5

An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component

Published: Jul 07, 2026
Source: NVD