Total CVEs

138,585

Critical Severity

3,576

High Severity

12,840

Last 7 Days

1,961
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 161 - 180 of 34,990 CVEs
CVE-2026-32208 HIGH - 8.8

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.

Published: Jun 19, 2026
Source: NVD

py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()

Vendor: pip
Product: py7zr
Published: Jun 19, 2026
Source: GitHub

py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

Vendor: pip
Product: py7zr
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55187 MEDIUM - 5.8

Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms

Vendor: go
Product: github.com/axllent/mailpit
Published: Jun 19, 2026
Source: GitHub

Open Redirect Bypass in miniflux-v2

Vendor: go
Product: miniflux.app/v2
Published: Jun 19, 2026
Source: GitHub

Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails

Vendor: go
Product: github.com/traefik/traefik/v3
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55847 MEDIUM - 6.1

Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering

Vendor: maven
Product: io.qameta.allure:allure-generator
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55846 MEDIUM - 6.2

Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read

Vendor: maven
Product: io.qameta.allure:allure-commandline
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55837 MEDIUM - 6.8

dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens

Vendor: pip
Product: dbt-mcp
Published: Jun 19, 2026
Source: GitHub

go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)

Vendor: go
Product: go.qbee.io/transport
Published: Jun 19, 2026
Source: GitHub

TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover

Vendor: npm
Product: tinacms
Published: Jun 19, 2026
Source: GitHub

Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass

Vendor: composer
Product: craftcms/commerce
Published: Jun 19, 2026
Source: GitHub

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Vendor: composer
Product: craftcms/cms
Published: Jun 19, 2026
Source: GitHub
CVE-2026-54074 HIGH - 7.8

@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration โ€” unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels

Vendor: npm
Product: @tinacms/cli
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55691 HIGH - 8.6

StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template

Vendor: composer
Product: starcitizenwiki/embedvideo
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55690 HIGH - 7.5

StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text

Vendor: composer
Product: starcitizenwiki/embedvideo
Published: Jun 19, 2026
Source: GitHub
CVE-2026-55091 HIGH - 7.5

flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key

Vendor: npm
Product: flat-to-nested
Published: Jun 19, 2026
Source: GitHub

@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument

Vendor: npm
Product: @cyclonedx/cyclonedx-npm
Published: Jun 19, 2026
Source: GitHub
CVE-2026-54911 MEDIUM - 6.5

UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

Vendor: pip
Product: ujson
Published: Jun 19, 2026
Source: GitHub

Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption

Vendor: rubygems
Product: concurrent-ruby
Published: Jun 19, 2026
Source: GitHub