Total CVEs

143,126

Critical Severity

4,045

High Severity

14,563

Last 7 Days

1,276
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1 - 20 of 39,531 CVEs
CVE-2026-60095 MEDIUM - 6.5

Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is mea...

Vendor: Vinchin
Product: Backup & Recovery 9.0
Published: Jul 09, 2026
Source: NVD
CVE-2026-60094 MEDIUM - 6.5

Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can c...

Vendor: Vinchin
Product: Backup & Recovery 9.0
Published: Jul 09, 2026
Source: NVD
CVE-2026-4256 HIGH - 8.2

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in PEAKUP Technology Inc. PassGate allows LDAP Injection. This issue affects PassGate: through 30042026.

Published: Jul 09, 2026
Source: NVD
CVE-2026-15186 MEDIUM - 6.3

A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The expl...

Vendor: macrozheng
Product: mall
Published: Jul 09, 2026
Source: NVD

A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been ...

Product: GPAC
Published: Jul 09, 2026
Source: NVD

A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.

Vendor: Xerte
Product: Xerte Online Tools
Published: Jul 09, 2026
Source: NVD

An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform allows an authenticated attacker to exfiltrate cross-tenant data. This vulnerability was patched on 12 June 2026 on the Apigee Servers, and no customer action is ...

Vendor: Google Cloud
Product: Apigee
Published: Jul 09, 2026
Source: NVD

The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (w...

Vendor: Qt
Product: Axivion
Published: Jul 09, 2026
Source: NVD

A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.

Vendor: Xerte
Product: Xerte Online Tools
Published: Jul 09, 2026
Source: NVD
CVE-2026-53760 MEDIUM - 5.2

Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests

Vendor: composer
Product: admidio/admidio
Published: Jul 09, 2026
Source: GitHub

Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

Vendor: rubygems
Product: css_parser
Published: Jul 09, 2026
Source: GitHub
CVE-2026-49485 HIGH - 7.5

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

Vendor: maven
Product: ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
Published: Jul 09, 2026
Source: GitHub

pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small

Vendor: pip
Product: pymonocypher
Published: Jul 09, 2026
Source: GitHub

Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: Jul 09, 2026
Source: GitHub
CVE-2026-50554 MEDIUM - 5.3

Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: Jul 09, 2026
Source: GitHub
CVE-2026-49477 HIGH - 7.5

Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser

Vendor: pip
Product: soupsieve
Published: Jul 09, 2026
Source: GitHub
CVE-2026-49476 HIGH - 7.5

Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists

Vendor: pip
Product: soupsieve
Published: Jul 09, 2026
Source: GitHub
CVE-2026-48987 MEDIUM - 6.5

pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager

Vendor: pip
Product: pyload-ng
Published: Jul 09, 2026
Source: GitHub
CVE-2026-48737 MEDIUM - 4.9

pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs

Vendor: pip
Product: pyload-ng
Published: Jul 09, 2026
Source: GitHub

A vulnerability was found in GNU LibreDWG up to 0.13.4. The impacted element is the function dwg_next_entity of the file src/dwg.c of the component DWG File Handler. Performing a manipulation of the argument next_obj results in null pointer dereference. The attack must be initiated from a local posi...

Vendor: GNU
Product: LibreDWG
Published: Jul 09, 2026
Source: NVD