Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,535
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,861 - 1,880 of 40,154 CVEs
CVE-2026-58578 MEDIUM - 6.5

LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft...

Vendor: lobehub
Product: lobehub
Published: Jul 02, 2026
Source: NVD
CVE-2026-58467 HIGH - 7.5

Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. A...

Vendor: cockpit-project
Product: cockpit
Published: Jul 02, 2026
Source: NVD
CVE-2026-58466 CRITICAL - 9.8

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is emp...

Vendor: EstrellaXD
Product: Auto_Bangumi
Published: Jul 02, 2026
Source: NVD
CVE-2026-58381 MEDIUM - 6.1

A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.

Vendor: Red Hat
Product: Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 02, 2026
Source: NVD
CVE-2026-52187 HIGH - 7.5

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component

Published: Jul 02, 2026
Source: NVD
CVE-2025-71385 MEDIUM - 6.1

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a UR...

Vendor: netdata
Product: netdata
Published: Jul 02, 2026
Source: NVD
CVE-2026-52746 HIGH - 7.5

jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion

Vendor: npm
Product: jsonata
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52734 MEDIUM - 5.3

zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention

Vendor: rust
Product: zebrad
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52733 MEDIUM - 6.5

zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip

Vendor: rust
Product: zebra-state
Published: Jul 02, 2026
Source: GitHub

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\...

Vendor: composer
Product: craftcms/cms
Published: Jul 02, 2026
Source: GitHub

Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The dupli...

Vendor: composer
Product: craftcms/cms
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52739 MEDIUM - 5.9

Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection

Vendor: rust
Product: zebra-state
Published: Jul 02, 2026
Source: GitHub

Zebra: Finalized address balance credit-first overflow on consensus-valid blocks

Vendor: rust
Product: zebra-state
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52737 MEDIUM - 5.3

Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block

Vendor: rust
Product: zebra-consensus
Published: Jul 02, 2026
Source: GitHub

zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser

Vendor: rust
Product: zebra-script
Published: Jul 02, 2026
Source: GitHub

Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache

Vendor: rust
Product: zebra-state
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52732 MEDIUM - 5.3

zebrad has mempool transaction admission denial via single-peer inbound queue saturation

Vendor: rust
Product: zebrad
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52731 MEDIUM - 6.5

zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate

Vendor: rust
Product: zebra-rpc
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49255 HIGH - 8.8

electerm has Command Injection in File System Operations (rmrf, mv, cp)

Vendor: npm
Product: electerm
Published: Jul 02, 2026
Source: GitHub

Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth

Vendor: go
Product: d7y.io/dragonfly/v2
Published: Jul 02, 2026
Source: GitHub