Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20714
Total
1493
Critical
6288
High
6559
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40084 | MEDIUM | 6.5 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing … | Jun 25, 2026 |
| CVE-2026-40083 | HIGH | 7.2 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 … | Jun 25, 2026 |
| CVE-2026-40082 | MEDIUM | 5.4 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is … | Jun 25, 2026 |
| CVE-2026-40080 | MEDIUM | 6.1 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than … | Jun 25, 2026 |
| CVE-2026-8720 | UNKNOWN | — | wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the … | Jun 25, 2026 |
| CVE-2026-7532 | UNKNOWN | — | iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an … | Jun 25, 2026 |
| CVE-2026-7511 | UNKNOWN | — | PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted. | Jun 25, 2026 |
| CVE-2026-6331 | UNKNOWN | — | HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the … | Jun 25, 2026 |
| CVE-2026-6330 | UNKNOWN | — | The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code … | Jun 25, 2026 |
| CVE-2026-6329 | UNKNOWN | — | PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and allowing a mismatched MAC to be accepted. The PKCS#12 … | Jun 25, 2026 |
| CVE-2026-6325 | UNKNOWN | — | Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer. | Jun 25, 2026 |
| CVE-2026-6092 | UNKNOWN | — | When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC. | Jun 25, 2026 |
| CVE-2026-55962 | UNKNOWN | — | TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The … | Jun 25, 2026 |
| CVE-2026-54479 | HIGH | 7.3 | The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results … | Jun 25, 2026 |
| CVE-2026-50176 | HIGH | 7.5 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service … | Jun 25, 2026 |
| CVE-2026-44622 | MEDIUM | 6.5 | Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | Jun 25, 2026 |
| CVE-2026-40702 | CRITICAL | 9.4 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to … | Jun 25, 2026 |
| CVE-2026-22879 | HIGH | 8.1 | vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability | Jun 25, 2026 |
| CVE-2026-13283 | HIGH | 7.5 | Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific … | Jun 25, 2026 |
| CVE-2026-13282 | MEDIUM | 6.8 | Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access … | Jun 25, 2026 |
| CVE-2026-13281 | HIGH | 8.3 | Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox … | Jun 25, 2026 |
| CVE-2026-12992 | HIGH | 7.4 | A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to … | Jun 25, 2026 |
| CVE-2026-12975 | HIGH | 8.5 | A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker … | Jun 25, 2026 |
| CVE-2026-11800 | HIGH | 8.1 | A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to … | Jun 25, 2026 |
| CVE-2026-11703 | UNKNOWN | — | Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a … | Jun 25, 2026 |