Total CVEs

143,818

Critical Severity

4,094

High Severity

14,786

Last 7 Days

1,518
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,901 - 1,920 of 40,223 CVEs
CVE-2026-38970 HIGH - 7.5

pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.

Published: Jul 02, 2026
Source: NVD
CVE-2026-38969 HIGH - 7.5

ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.

Published: Jul 02, 2026
Source: NVD
CVE-2026-38968 CRITICAL - 9.8

ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding sessio...

Vendor: ntop
Product: ntopng
Published: Jul 02, 2026
Source: NVD

Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB

Vendor: pip
Product: recce
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49353 HIGH - 7.5

9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

Vendor: npm
Product: 9router
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49352 CRITICAL - 9.8

9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass

Vendor: npm
Product: 9router
Published: Jul 02, 2026
Source: GitHub

Kiwi TCMS's /init-db/ page renders and responds to requests after first use

Vendor: pip
Product: kiwitcms
Published: Jul 02, 2026
Source: GitHub
CVE-2026-54617 CRITICAL - 9.8

LaunchServer FileServerHandler has an unauthenticated path traversal issue

Vendor: maven
Product: pro.gravit.launcher:launchserver-api
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49284 HIGH - 7.1

SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`

Vendor: composer
Product: simplesamlphp/simplesamlphp
Published: Jul 02, 2026
Source: GitHub

Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

Vendor: go
Product: github.com/xyproto/algernon
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52834 HIGH - 7.3

jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow

Vendor: rust
Product: jxl-grid
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52830 CRITICAL - 9.4

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking w...

Vendor: pip
Product: fast-mcp-telegram
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49289 HIGH - 7.5

SimpleSAMLphp has Possible DoS via XPath Transform

Vendor: composer
Product: simplesamlphp/saml2
Published: Jul 02, 2026
Source: GitHub
CVE-2026-52829 HIGH - 7.5

Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update

Vendor: rust
Product: zebra-network
Published: Jul 02, 2026
Source: GitHub
CVE-2026-49283 HIGH - 8.7

SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass

Vendor: composer
Product: simplesamlphp/saml2
Published: Jul 02, 2026
Source: GitHub

Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments

Vendor: pip
Product: linuxfabrik-lib
Published: Jul 02, 2026
Source: GitHub
CVE-2026-59102 MEDIUM - 5.4

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enab...

Vendor: forgejo
Product: forgejo
Published: Jul 02, 2026
Source: NVD
CVE-2026-59101 MEDIUM - 5.8

AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST /api/v1/setup/test-downloa...

Vendor: EstrellaXD
Product: Auto_Bangumi
Published: Jul 02, 2026
Source: NVD
CVE-2026-59100 MEDIUM - 5.0

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFr...

Vendor: lobehub
Product: lobehub
Published: Jul 02, 2026
Source: NVD
CVE-2026-59099 CRITICAL - 9.1

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tok...

Vendor: apereo
Product: cas
Published: Jul 02, 2026
Source: NVD