Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,527
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,901 - 1,920 of 40,154 CVEs

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.ย  An attacker with administrative privilege...

Published: Jul 02, 2026
Source: NVD
CVE-2026-55952 HIGH - 7.5

The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with...

Vendor: Erlang
Product: OTP
Published: Jul 02, 2026
Source: NVD
CVE-2026-55950 MEDIUM - 5.9

Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. A DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming ...

Vendor: Erlang
Product: OTP
Published: Jul 02, 2026
Source: NVD

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data. Th...

Vendor: Erlang
Product: OTP
Published: Jul 02, 2026
Source: NVD
CVE-2026-54887 MEDIUM - 4.8

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the ...

Vendor: Erlang
Product: OTP
Published: Jul 02, 2026
Source: NVD
CVE-2026-54886 MEDIUM - 4.3

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of ...

Vendor: Erlang
Product: OTP
Published: Jul 02, 2026
Source: NVD
CVE-2026-53422 MEDIUM - 4.3

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false,...

Vendor: Erlang
Product: OTP
Published: Jul 02, 2026
Source: NVD
CVE-2024-58352 HIGH - 7.5

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitizatio...

Vendor: Shenzhen Landray Software Co., Ltd.
Product: Landry Office Automation (OA)
Published: Jul 02, 2026
Source: NVD
CVE-2024-14037 CRITICAL - 9.8

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart POST request with a JSP webshell disguised using a spoofed ima...

Vendor: Guangzhou Red Sea Cloud Computing Co., Ltd.
Product: Red Sea Cloud eHR
Published: Jul 02, 2026
Source: NVD
CVE-2022-50973 CRITICAL - 9.8

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication...

Vendor: Yonyou Network Technology Co., Ltd.
Product: KSOA
Published: Jul 02, 2026
Source: NVD
CVE-2026-50149 MEDIUM - 6.5

Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled

Vendor: go
Product: github.com/projectcontour/contour
Published: Jul 02, 2026
Source: GitHub
CVE-2026-58455 CRITICAL - 9.8

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compo...

Vendor: Notifiarr
Product: dockwatch
Published: Jul 02, 2026
Source: NVD
CVE-2026-44941 HIGH - 8.4

A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.

Vendor: SUSE
Product: libzypp
Published: Jul 02, 2026
Source: NVD
CVE-2026-9272 HIGH - 8.1

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modifi...

Vendor: progress
Product: flowmon_anomaly_detection_system
Published: Jul 02, 2026
Source: NVD
CVE-2026-8079 HIGH - 7.3

In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized acce...

Vendor: progress
Product: flowmon
Published: Jul 02, 2026
Source: NVD
CVE-2026-56842 HIGH - 7.5

A malicious actor with access to the network and under certain conditions could exploit an Incorrect Authorization vulnerability found in UniFi Network Application to persist privileges within UniFi Network Application after such access had been removed.

Vendor: Ubiquiti Inc
Product: UniFi Network Application
Published: Jul 02, 2026
Source: NVD
CVE-2026-56841 HIGH - 8.8

A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device.

Vendor: Ubiquiti Inc
Product: UniFi Protect Application
Published: Jul 02, 2026
Source: NVD
CVE-2026-56004 CRITICAL - 10.0

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

Vendor: openSUSE
Product: buildservice
Published: Jul 02, 2026
Source: NVD
CVE-2026-55119 HIGH - 8.1

A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Talk Application to escalate privileges within the UniFi Talk Application.

Vendor: Ubiquiti Inc
Product: UniFi Talk Application
Published: Jul 02, 2026
Source: NVD
CVE-2026-55118 HIGH - 8.3

A malicious actor with access to the network,low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.

Vendor: Ubiquiti Inc
Product: UniFi Network Application
Published: Jul 02, 2026
Source: NVD