Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,512
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,881 - 1,900 of 40,198 CVEs
CVE-2026-49352 CRITICAL - 9.8

9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass

Vendor: npm
Product: 9router
Published: Jul 02, 2026
Source: GitHub

Kiwi TCMS's /init-db/ page renders and responds to requests after first use

Vendor: pip
Product: kiwitcms
Published: Jul 02, 2026
Source: GitHub
CVE-2026-54617 CRITICAL - 9.8

LaunchServer FileServerHandler has an unauthenticated path traversal issue

Vendor: maven
Product: pro.gravit.launcher:launchserver-api
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49284 HIGH - 7.1

SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`

Vendor: composer
Product: simplesamlphp/simplesamlphp
Published: Jul 02, 2026
Source: GitHub

Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

Vendor: go
Product: github.com/xyproto/algernon
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52834 HIGH - 7.3

jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow

Vendor: rust
Product: jxl-grid
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52830 CRITICAL - 9.4

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking w...

Vendor: pip
Product: fast-mcp-telegram
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49289 HIGH - 7.5

SimpleSAMLphp has Possible DoS via XPath Transform

Vendor: composer
Product: simplesamlphp/saml2
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52829 HIGH - 7.5

Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update

Vendor: rust
Product: zebra-network
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49283 HIGH - 8.7

SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass

Vendor: composer
Product: simplesamlphp/saml2
Published: Jul 02, 2026
Source: GitHub

Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments

Vendor: pip
Product: linuxfabrik-lib
Published: Jul 02, 2026
Source: GitHub
CVE-2026-59102 MEDIUM - 5.4

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enab...

Vendor: forgejo
Product: forgejo
Published: Jul 02, 2026
Source: NVD
CVE-2026-59101 MEDIUM - 5.8

AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST /api/v1/setup/test-downloa...

Vendor: EstrellaXD
Product: Auto_Bangumi
Published: Jul 02, 2026
Source: NVD
CVE-2026-59100 MEDIUM - 5.0

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFr...

Vendor: lobehub
Product: lobehub
Published: Jul 02, 2026
Source: NVD
CVE-2026-59099 CRITICAL - 9.1

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tok...

Vendor: apereo
Product: cas
Published: Jul 02, 2026
Source: NVD
CVE-2026-59098 MEDIUM - 6.5

LobeChat through 2.2.9 contains a broken access control vulnerability in the retrieval-augmented-generation semantic search functionality that allows authenticated attackers to access other users' data by exploiting missing user-identifier predicates in the chunk model semanticSearch method. At...

Vendor: lobehub
Product: lobehub
Published: Jul 02, 2026
Source: NVD
CVE-2026-59097 MEDIUM - 5.3

Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary proje...

Vendor: taiga
Product: taiga-back
Published: Jul 02, 2026
Source: NVD
CVE-2026-59096 HIGH - 7.5

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the docume...

Vendor: dapr
Product: dapr
Published: Jul 02, 2026
Source: NVD
CVE-2026-59095 HIGH - 7.7

LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpo...

Vendor: lobehub
Product: lobehub
Published: Jul 02, 2026
Source: NVD
CVE-2026-59094 HIGH - 7.5

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern valu...

Vendor: pathwaycom
Product: pathway
Published: Jul 02, 2026
Source: NVD