Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,245
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 101 - 120 of 39,486 CVEs
CVE-2026-6352 LOW - 2.7

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorizatio...

Published: Jul 08, 2026
Source: NVD
CVE-2026-60105 HIGH - 8.6

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtai...

Vendor: Monsta Limited of New Zealand
Product: Monsta FTP
Published: Jul 08, 2026
Source: NVD
CVE-2026-59818 MEDIUM - 6.5

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRP...

Vendor: etcd-io
Product: etcd
Published: Jul 08, 2026
Source: NVD
CVE-2026-58525 HIGH - 8.2

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

Published: Jul 08, 2026
Source: NVD
CVE-2026-58494 MEDIUM - 6.5

Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite ho...

Vendor: bytecodealliance
Product: wasmtime
Published: Jul 08, 2026
Source: NVD
CVE-2026-58211 MEDIUM - 5.4

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a parser path used when the first client operation was not CONNECT, bypassing user-level connection restr...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58208 MEDIUM - 6.8

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with acce...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58207 HIGH - 7.7

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal ari...

Vendor: nats-io
Product: nats-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-58192 HIGH - 8.6

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() with...

Vendor: appium
Product: appium
Published: Jul 08, 2026
Source: NVD
CVE-2026-58191 MEDIUM - 6.5

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate re...

Vendor: appium
Product: appium
Published: Jul 08, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber...

Vendor: parse-community
Product: parse-server
Published: Jul 08, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the interna...

Vendor: parse-community
Product: parse-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-56669 HIGH - 7.5

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of uniqu...

Vendor: elysiajs
Product: elysia
Published: Jul 08, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allo...

Vendor: parse-community
Product: parse-server
Published: Jul 08, 2026
Source: NVD
CVE-2026-55596 HIGH - 8.7

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a ...

Vendor: udecode
Product: plate
Published: Jul 08, 2026
Source: NVD
CVE-2026-54591 HIGH - 8.1

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can write arbitrary files on the asyncssh SCP client's filesystem by sending filenames containing .....

Vendor: ronf
Product: asyncssh
Published: Jul 08, 2026
Source: NVD
CVE-2026-54590 MEDIUM - 5.9

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in Aut...

Vendor: ronf
Product: asyncssh
Published: Jul 08, 2026
Source: NVD
CVE-2026-54528 HIGH - 7.1

JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlab_git/handlers.py to enforce excluded_paths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded dire...

Vendor: jupyterlab
Product: jupyterlab-git
Published: Jul 08, 2026
Source: NVD

JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff i...

Vendor: jupyterlab
Product: jupyterlab-git
Published: Jul 08, 2026
Source: NVD
CVE-2026-49866 HIGH - 7.5

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously i...

Vendor: libp2p
Product: js-libp2p
Published: Jul 08, 2026
Source: NVD