Total CVEs

143,126

Critical Severity

4,045

High Severity

14,563

Last 7 Days

1,276
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 1 - 20 of 14,257 CVEs
CVE-2026-4256 HIGH - 8.2

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in PEAKUP Technology Inc. PassGate allows LDAP Injection. This issue affects PassGate: through 30042026.

Published: Jul 09, 2026
Source: NVD

Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

Vendor: rubygems
Product: css_parser
Published: Jul 09, 2026
Source: GitHub
CVE-2026-49485 HIGH - 7.5

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

Vendor: maven
Product: ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
Published: Jul 09, 2026
Source: GitHub

Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: Jul 09, 2026
Source: GitHub
CVE-2026-49477 HIGH - 7.5

Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser

Vendor: pip
Product: soupsieve
Published: Jul 09, 2026
Source: GitHub
CVE-2026-49476 HIGH - 7.5

Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists

Vendor: pip
Product: soupsieve
Published: Jul 09, 2026
Source: GitHub
CVE-2026-9253 HIGH - 7.2

The WP Cost Estimation & Payment Forms Builder (E&P Forms) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customerInfos' parameter in all versions up to, and including, 10.5.97 due to insufficient input sanitization and output escaping. This makes it pos...

Published: Jul 09, 2026
Source: NVD
CVE-2026-59692 HIGH - 7.5

A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an over...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 09, 2026
Source: NVD
CVE-2026-59691 HIGH - 7.1

A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 09, 2026
Source: NVD
CVE-2026-4275 HIGH - 8.8

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin ...

Published: Jul 09, 2026
Source: NVD
CVE-2026-14372 HIGH - 7.1

The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for...

Vendor: bitpressadmin
Product: Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder
Published: Jul 09, 2026
Source: NVD
CVE-2026-13441 HIGH - 7.2

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes ...

Vendor: metagauss
Product: EventPrime – Events Calendar, Bookings and Tickets
Published: Jul 09, 2026
Source: NVD
CVE-2026-1989 HIGH - 7.5

Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers. This issue affects PAVO Pay: through 09072026.Β NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published: Jul 09, 2026
Source: NVD
CVE-2026-8848 HIGH - 7.2

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action....

Published: Jul 09, 2026
Source: NVD
CVE-2026-33390 HIGH - 8.1

An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration, and/or affecting i...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Jul 09, 2026
Source: NVD
CVE-2026-31985 HIGH - 8.1

When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Re...

Vendor: Nozomi Networks
Product: Remote Collector
Published: Jul 09, 2026
Source: NVD
CVE-2026-31984 HIGH - 7.5

A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into audit entries. An unauthenticated attacker can submit requests containing excessively large input that is recorded into audi...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Jul 09, 2026
Source: NVD
CVE-2026-31982 HIGH - 7.1

An Open Redirect vulnerability was discovered in the SAML Single Sign-On functionality due to insufficient validation of a user-controlled redirection parameter. An unauthenticated attacker can craft a request to the SAML sign-in endpoint and poison the cached SAML redirection for other users who su...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Jul 09, 2026
Source: NVD
CVE-2026-15000 HIGH - 7.2

The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

Vendor: rnzo
Product: Connect Contact Form 7 and Mailchimp
Published: Jul 09, 2026
Source: NVD
CVE-2026-47840 HIGH - 7.5

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves ...

Vendor: CloudFoundry Foundation
Product: UAA, Cf-deployment
Published: Jul 09, 2026
Source: NVD