Total CVEs

143,670

Critical Severity

4,088

High Severity

14,736

Last 7 Days

1,526
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1,081 - 1,100 of 40,075 CVEs

A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system configuration fields. The script subsequently executes in the br...

Vendor: Digi International
Product: Digi PortServer TS, Digi One SP, Digi One SP IA, Digi One IA
Published: Jul 07, 2026
Source: NVD
CVE-2026-12352 MEDIUM - 5.9

This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.

Vendor: Digi International
Product: PortServer TS 1/2/4, Digi One SP / SP IA / IA
Published: Jul 07, 2026
Source: NVD
CVE-2026-6101 HIGH - 7.5

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories a...

Published: Jul 07, 2026
Source: NVD
CVE-2026-53479 HIGH - 7.2

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special elements used in an OS command ('OS ...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 07, 2026
Source: NVD
CVE-2026-53483 CRITICAL - 9.8

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 an improper authentication vulnerability. An unauthenticated attacker with remote acces...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 07, 2026
Source: NVD
CVE-2026-53481 CRITICAL - 9.8

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper limitation of a pathname to a restricted directory ('Path Trav...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 07, 2026
Source: NVD
CVE-2026-10659 MEDIUM - 4.7

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara...

Vendor: zephyrproject
Product: zephyr
Published: Jul 07, 2026
Source: NVD
CVE-2026-45016 MEDIUM - 6.5

EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose

Vendor: composer
Product: egroupware/egroupware
Published: Jul 07, 2026
Source: GitHub
CVE-2026-44512 MEDIUM - 5.5

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. From 1.9.0 before 1.22.0, onnx.version_converter.convert_version() can dereference a null pointer in Upsample_6_7::adapt_upsample_6_7() in onnx/version_converter/adapters/upsample_6_7.h when processing an ...

Vendor: pip
Product: onnx
Published: Jul 07, 2026
Source: GitHub
CVE-2026-44342 MEDIUM - 5.3

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing ...

Vendor: go
Product: github.com/QuantumNous/new-api
Published: Jul 07, 2026
Source: GitHub

EGroupware has Authenticated RCE via Malicious eTemplate Upload

Vendor: composer
Product: egroupware/egroupware
Published: Jul 07, 2026
Source: GitHub

XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+

Vendor: maven
Product: org.xwiki.platform:xwiki-platform-oldcore
Published: Jul 07, 2026
Source: GitHub
CVE-2026-33655 HIGH - 7.7

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/bl...

Vendor: go
Product: github.com/QuantumNous/new-api
Published: Jul 07, 2026
Source: GitHub

EGroupware has a Remote Code Execution Vulnerability

Vendor: composer
Product: egroupware/egroupware
Published: Jul 07, 2026
Source: GitHub
CVE-2026-13696 HIGH - 8.8

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection. This issue affects Liman MYS: before release.Master.1107.

Vendor: HAVELSAN Inc.
Product: Liman MYS
Published: Jul 07, 2026
Source: NVD
CVE-2026-11348 HIGH - 8.1

Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data. This issue affects Liman MYS: before release.Master.1107.

Vendor: HAVELSAN Inc.
Product: Liman MYS
Published: Jul 07, 2026
Source: NVD
CVE-2011-10043 CRITICAL - 9.8

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute a...

Vendor: BINGOS
Product: Module::Load
Published: Jul 07, 2026
Source: NVD
CVE-2026-11340 HIGH - 8.3

Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107.

Vendor: HAVELSAN Inc.
Product: Liman MYS
Published: Jul 07, 2026
Source: NVD
CVE-2026-49487 MEDIUM - 6.5

In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a provider API key) into its trigger, any authenticated user with DAG-scoped task-instance read a...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jul 07, 2026
Source: NVD
CVE-2026-49296 MEDIUM - 6.5

Before apache-airflow 3.3.0, a user authorized to read one Dag could disclose the source of other Dags co-located in the same source file. `GET /api/v2/dagSources/{dag_id}` — and the equivalent Dag-source view in the UI — returned the entire source file without redacting Dags the caller was not auth...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Jul 07, 2026
Source: NVD