Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20714
Total
1493
Critical
6288
High
6559
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-54024 | MEDIUM | 6.5 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 (commit bb58a2d0) added limits: { fileSize } … | Jun 25, 2026 |
| CVE-2026-45233 | HIGH | 8.1 | HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the … | Jun 25, 2026 |
| CVE-2026-13351 | HIGH | 7.5 | Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When … | Jun 25, 2026 |
| CVE-2026-13350 | UNKNOWN | — | Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create. | Jun 25, 2026 |
| CVE-2026-9718 | UNKNOWN | — | CWE-617 Reachable Assertion vulnerability exists that could allow an authenticated attacker to trigger a denial-of-service condition, impacting system availability when a specially crafted request is … | Jun 25, 2026 |
| CVE-2026-9717 | UNKNOWN | — | CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, … | Jun 25, 2026 |
| CVE-2026-9716 | UNKNOWN | — | CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the device’s HMI and configuration functionality unavailable when malformed requests are received … | Jun 25, 2026 |
| CVE-2026-9651 | UNKNOWN | — | CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged … | Jun 25, 2026 |
| CVE-2026-9650 | UNKNOWN | — | CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within firmware or system … | Jun 25, 2026 |
| CVE-2026-57456 | HIGH | 7.8 | Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class … | Jun 25, 2026 |
| CVE-2026-57455 | HIGH | 7.8 | Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell … | Jun 25, 2026 |
| CVE-2026-57454 | MEDIUM | 6.1 | Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose … | Jun 25, 2026 |
| CVE-2026-57453 | MEDIUM | 6.5 | Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, … | Jun 25, 2026 |
| CVE-2026-57452 | MEDIUM | 5.5 | Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, … | Jun 25, 2026 |
| CVE-2026-57451 | MEDIUM | 5.3 | Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's … | Jun 25, 2026 |
| CVE-2026-57438 | MEDIUM | 6.6 | Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> … | Jun 25, 2026 |
| CVE-2026-55895 | HIGH | 7.8 | Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) … | Jun 25, 2026 |
| CVE-2026-55892 | MEDIUM | 5.5 | Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a … | Jun 25, 2026 |
| CVE-2026-55693 | HIGH | 7.8 | Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file … | Jun 25, 2026 |
| CVE-2026-55477 | HIGH | 7.2 | 3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary … | Jun 25, 2026 |
| CVE-2026-54036 | MEDIUM | 5.3 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user … | Jun 25, 2026 |
| CVE-2026-4522 | UNKNOWN | — | Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1. | Jun 25, 2026 |
| CVE-2026-48946 | MEDIUM | 6.3 | The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web … | Jun 25, 2026 |
| CVE-2026-48945 | MEDIUM | 5.3 | The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image … | Jun 25, 2026 |
| CVE-2026-48944 | MEDIUM | 6.5 | The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and … | Jun 25, 2026 |