Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,535
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,881 - 1,900 of 40,154 CVEs
CVE-2026-49253 HIGH - 7.1

electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling

Vendor: npm
Product: electerm
Published: Jul 02, 2026
Source: GitHub

@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields

Vendor: npm
Product: @conform-to/dom
Published: Jul 02, 2026
Source: GitHub
CVE-2026-7311 HIGH - 8.1

The TinyPNG โ€“ JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, wi...

Published: Jul 02, 2026
Source: NVD
CVE-2026-58465 HIGH - 7.5

Eclipse Wakaama before snapshot/2026-05-26 contains an unbounded memory allocation vulnerability in the CoAP Block1 handler within coap/block.c that allows unauthenticated remote attackers to exhaust server memory by sending a sequence of Block1 PUT requests with incrementing block numbers. Attacker...

Vendor: eclipse-wakaama
Product: wakaama
Published: Jul 02, 2026
Source: NVD

CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical access to the product to upload arbitrary malicious firmware to the device without authentication.

Vendor: CubeSpace
Product: CW0057 Reaction Wheel
Published: Jul 02, 2026
Source: NVD

joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

Vendor: pip
Product: joserfc
Published: Jul 02, 2026
Source: GitHub

SFTPGo has stored XSS via inline parameter on public shares and user file download

Vendor: go
Product: github.com/drakkan/sftpgo/v2
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49244 MEDIUM - 5.9

SFTPGo has path confinement bypass in public browsable share partial ZIP download

Vendor: go
Product: github.com/drakkan/sftpgo/v2
Published: Jul 02, 2026
Source: GitHub

@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString

Vendor: npm
Product: @asymmetric-effort/specifyjs
Published: Jul 02, 2026
Source: GitHub

@asymmetric-effort/specifyjs: URL parse failure silently allows request

Vendor: npm
Product: @asymmetric-effort/specifyjs
Published: Jul 02, 2026
Source: GitHub

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, eve...

Vendor: composer
Product: craftcms/cms
Published: Jul 02, 2026
Source: GitHub

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. Asse...

Vendor: composer
Product: craftcms/cms
Published: Jul 02, 2026
Source: GitHub

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately check...

Vendor: composer
Product: craftcms/cms
Published: Jul 02, 2026
Source: GitHub

Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mu...

Vendor: composer
Product: craftcms/cms
Published: Jul 02, 2026
Source: GitHub
CVE-2026-44454 HIGH - 8.1

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafte...

Vendor: go
Product: github.com/coder/coder/v2
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52854 HIGH - 8.6

mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function

Vendor: composer
Product: mediawiki/maps
Published: Jul 02, 2026
Source: GitHub

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, `SQLChatAgent` in `langroid` ships a `_validate_query` defense-in-depth layer whose `_DANGEROUS_SQL_PATTERNS` regex blocklist enumerates dangerous SQL primitives by specific function name. The li...

Vendor: pip
Product: langroid
Published: Jul 02, 2026
Source: GitHub
CVE-2026-50181 HIGH - 7.1

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, Langroid's `ReadFileTool` and `WriteFileTool` appear to treat `curr_dir` as the intended working-directory boundary for file operations. However, the tools only change the process working di...

Vendor: pip
Product: langroid
Published: Jul 02, 2026
Source: GitHub

Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect

Vendor: go
Product: github.com/kerberos-io/agent/machinery
Published: Jul 02, 2026
Source: GitHub

Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are set

Vendor: rust
Product: cmov
Published: Jul 02, 2026
Source: GitHub