Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20714
Total
1493
Critical
6288
High
6559
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-50742 | MEDIUM | 4.4 | A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` and `maintenance-banners-check.php` tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without … | Jun 26, 2026 |
| CVE-2026-50741 | HIGH | 8.8 | Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by … | Jun 26, 2026 |
| CVE-2026-50740 | MEDIUM | 6.1 | A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh … | Jun 26, 2026 |
| CVE-2026-50739 | MEDIUM | 4.3 | A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the … | Jun 26, 2026 |
| CVE-2026-48936 | LOW | 3.3 | A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This … | Jun 26, 2026 |
| CVE-2026-48935 | LOW | 3.3 | A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. … | Jun 26, 2026 |
| CVE-2026-48934 | MEDIUM | 4.3 | A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js … | Jun 26, 2026 |
| CVE-2026-48933 | HIGH | 7.5 | A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported … | Jun 26, 2026 |
| CVE-2026-48930 | CRITICAL | 9.8 | A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This … | Jun 26, 2026 |
| CVE-2026-48928 | MEDIUM | 5.4 | A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js … | Jun 26, 2026 |
| CVE-2026-48619 | HIGH | 7.5 | A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory … | Jun 26, 2026 |
| CVE-2026-48618 | MEDIUM | 6.5 | A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and … | Jun 26, 2026 |
| CVE-2026-48615 | HIGH | 7.5 | A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, … | Jun 26, 2026 |
| CVE-2026-13226 | MEDIUM | 6.5 | The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up … | Jun 26, 2026 |
| CVE-2026-9222 | HIGH | 8.1 | Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow … | Jun 26, 2026 |
| CVE-2026-9221 | HIGH | 7.5 | The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and … | Jun 26, 2026 |
| CVE-2026-9220 | HIGH | 7.5 | Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. … | Jun 26, 2026 |
| CVE-2026-9219 | MEDIUM | 6.5 | Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. … | Jun 26, 2026 |
| CVE-2026-43920 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, … | Jun 26, 2026 |
| CVE-2026-13322 | LOW | 3.8 | A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character … | Jun 26, 2026 |
| CVE-2026-13318 | MEDIUM | 6.4 | A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the … | Jun 26, 2026 |
| CVE-2026-13218 | MEDIUM | 4.2 | A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink … | Jun 26, 2026 |
| CVE-2026-13083 | MEDIUM | 6.9 | A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with … | Jun 26, 2026 |
| CVE-2026-12993 | MEDIUM | 6.5 | A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. … | Jun 26, 2026 |
| CVE-2026-40941 | UNKNOWN | — | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed … | Jun 25, 2026 |