Total CVEs

143,744

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,578
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1,421 - 1,440 of 40,149 CVEs

A information disclosure when DEBUG loglevel is set in SUSE Rancher AI Agent 1.0 before 1.0.2 could leak API keys or LLM response text with potential sensitive data into logfiles, allowing local attackers to misuse respective gained data or credentials.

Vendor: SUSE
Product: Rancher
Published: Jul 06, 2026
Source: NVD
CVE-2026-43867 CRITICAL - 9.8

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads that metadata back from the...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-43866 HIGH - 7.3

Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component. JmsBinding.extractBodyFromJms() in camel-jms - and the equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the ...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-43865 HIGH - 8.1

Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-42527 HIGH - 8.1

Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggr...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-40859 HIGH - 8.1

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserialize...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-40047 CRITICAL - 9.1

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java....

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Jul 06, 2026
Source: NVD
CVE-2026-24014 CRITICAL - 9.8

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to w...

Vendor: Apache Software Foundation
Product: Apache IoTDB
Published: Jul 06, 2026
Source: NVD
CVE-2026-24013 CRITICAL - 9.1

Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allow...

Vendor: Apache Software Foundation
Product: Apache IoTDB
Published: Jul 06, 2026
Source: NVD
CVE-2026-24012 HIGH - 7.5

Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). Th...

Vendor: Apache Software Foundation
Product: Apache IoTDB
Published: Jul 06, 2026
Source: NVD

uniFLOW Universal Login Manager (ULM) Standalone contains an information disclosure vulnerability that may allow an authenticated administrator to access sensitive configuration information through the ULM Remote User Interface (RUI). Exploitation requires administrative privileges and may disclose ...

Published: Jul 06, 2026
Source: NVD
CVE-2026-14809 HIGH - 7.5

Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

Vendor: PROG MIS
Product: Prog Management System
Published: Jul 06, 2026
Source: NVD
CVE-2026-6382 CRITICAL - 9.1

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operation...

Published: Jul 06, 2026
Source: NVD
CVE-2026-14808 CRITICAL - 9.8

Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain the database account and password.

Vendor: PROG MIS
Product: Prog Management System
Published: Jul 06, 2026
Source: NVD
CVE-2026-14807 CRITICAL - 9.8

ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.

Vendor: PROG MIS
Product: ERP App
Published: Jul 06, 2026
Source: NVD
CVE-2026-14802 HIGH - 7.3

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploi...

Vendor: react
Product: create-react-app
Published: Jul 06, 2026
Source: NVD

A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attac...

Product: GPAC
Published: Jul 06, 2026
Source: NVD
CVE-2026-14800 MEDIUM - 4.3

A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and c...

Vendor: imhamzaazam
Product: ecommerceFlask
Published: Jul 06, 2026
Source: NVD
CVE-2026-12083 HIGH - 8.1

The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted adm...

Vendor: Unknown
Product: Admin and Site Enhancements (ASE), admin-site-enhancements-pro
Published: Jul 06, 2026
Source: NVD
CVE-2026-11962 HIGH - 8.8

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and a...

Vendor: Unknown
Product: FileOrganizer
Published: Jul 06, 2026
Source: NVD