Total CVEs

143,768

Critical Severity

4,091

High Severity

14,768

Last 7 Days

1,527
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 1,341 - 1,360 of 40,173 CVEs
CVE-2026-53624 MEDIUM - 4.8

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fix...

Vendor: go
Product: github.com/gofiber/fiber
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54771 HIGH - 8.1

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with `use=False, handle=True`. Version 0...

Vendor: pip
Product: langroid
Published: Jul 06, 2026
Source: GitHub
CVE-2026-54769 CRITICAL - 10.0

Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` capabilities. When these agents evaluate LLM-generated tool messages w...

Vendor: pip
Product: langroid
Published: Jul 06, 2026
Source: GitHub

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the `SQLChatAgent` SQL-injection mitigation, with default `allow_dangerous_operations=False`, combines a raw-text regex blocklist (`_DANGEROUS_SQL_PATTERNS`) with a `sqlglot` SELECT-only statemen...

Vendor: pip
Product: langroid
Published: Jul 06, 2026
Source: GitHub

Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile

Vendor: go
Product: d7y.io/dragonfly/v2
Published: Jul 06, 2026
Source: GitHub

Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases

Vendor: pip
Product: linuxfabrik-lib
Published: Jul 06, 2026
Source: GitHub
CVE-2026-53486 CRITICAL - 9.1

Decompress: Archive extraction can create files and links outside of the target directory

Vendor: npm
Product: @xhmikosr/decompress
Published: Jul 06, 2026
Source: GitHub
CVE-2026-59089 MEDIUM - 5.5

A flaw was found in GIMP. The PlayStation TIM loader, responsible for handling PlayStation image files, incorrectly calculates the size of the Color Look-Up Table (CLUT) due to an integer overflow. This occurs when multiplying num_colors and num_cluts, both 16-bit unsigned short integers, resulting ...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 06, 2026
Source: NVD
CVE-2026-58404 MEDIUM - 6.8

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer...

Vendor: gohugoio
Product: hugo
Published: Jul 06, 2026
Source: NVD
CVE-2026-58403 MEDIUM - 6.5

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile ...

Vendor: gohugoio
Product: hugo
Published: Jul 06, 2026
Source: NVD
CVE-2026-58402 MEDIUM - 5.4

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a scr...

Vendor: gohugoio
Product: hugo
Published: Jul 06, 2026
Source: NVD
CVE-2026-55646 MEDIUM - 6.5

vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB ...

Vendor: vllm-project
Product: vllm
Published: Jul 06, 2026
Source: NVD

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.0.0 and prior to version 4.11.0, 32-bit integer overflows in OP-TEE core's AES-GCM implementation cause the aut...

Vendor: OP-TEE
Product: optee_os
Published: Jul 06, 2026
Source: NVD
CVE-2026-44362 MEDIUM - 5.5

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20.0 and prior to version 4.11.0, a vulnerability in OP-TEE’s subkey rollback protection allows the use of revoked o...

Vendor: OP-TEE
Product: optee_os
Published: Jul 06, 2026
Source: NVD

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.3.0 and prior to version 4.11.0, a resource leak exists in OP-TEE’s shared memory cleanup logic because the function...

Vendor: OP-TEE
Product: optee_os
Published: Jul 06, 2026
Source: NVD

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA PKCS#1 v1.5 decryption implementation in the Hisilicon HPRE crypto driver u...

Vendor: OP-TEE
Product: optee_os
Published: Jul 06, 2026
Source: NVD

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.9.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the NXP CAAM crypto driver uses non-const...

Vendor: OP-TEE
Product: optee_os
Published: Jul 06, 2026
Source: NVD

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the Hisilicon HPRE crypto driver uses non...

Vendor: OP-TEE
Product: optee_os
Published: Jul 06, 2026
Source: NVD
CVE-2026-14898 MEDIUM - 6.5

The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image URL ...

Vendor: OpenAI
Product: Codex desktop app for macOS
Published: Jul 06, 2026
Source: NVD
CVE-2026-14536 HIGH - 8.8

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid...

Vendor: Devolutions
Product: Server
Published: Jul 06, 2026
Source: NVD