Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20346
Total
1466
Critical
6163
High
6464
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-58579 | MEDIUM | 5.4 | RAGFlow before 0.26.3 stores an agent pipeline (DSL) node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalize_dsl, which only performs … | Jul 02, 2026 |
| CVE-2026-58578 | MEDIUM | 6.5 | LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying … | Jul 02, 2026 |
| CVE-2026-58467 | HIGH | 7.5 | Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP … | Jul 02, 2026 |
| CVE-2026-58466 | CRITICAL | 9.8 | AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials … | Jul 02, 2026 |
| CVE-2026-58381 | MEDIUM | 6.1 | A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. … | Jul 02, 2026 |
| CVE-2026-52187 | UNKNOWN | — | Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component | Jul 02, 2026 |
| CVE-2025-71385 | MEDIUM | 6.1 | Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) … | Jul 02, 2026 |
| CVE-2026-7311 | HIGH | 8.1 | The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in … | Jul 02, 2026 |
| CVE-2026-58465 | HIGH | 7.5 | Eclipse Wakaama before snapshot/2026-05-26 contains an unbounded memory allocation vulnerability in the CoAP Block1 handler within coap/block.c that allows unauthenticated remote attackers to exhaust server … | Jul 02, 2026 |
| CVE-2026-13743 | UNKNOWN | — | CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with … | Jul 02, 2026 |
| CVE-2026-8699 | UNKNOWN | — | A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and … | Jul 02, 2026 |
| CVE-2026-55952 | UNKNOWN | — | The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have … | Jul 02, 2026 |
| CVE-2026-55950 | UNKNOWN | — | Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. … | Jul 02, 2026 |
| CVE-2026-54891 | UNKNOWN | — | Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext … | Jul 02, 2026 |
| CVE-2026-54887 | UNKNOWN | — | Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. … | Jul 02, 2026 |
| CVE-2026-54886 | UNKNOWN | — | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently … | Jul 02, 2026 |
| CVE-2026-53422 | UNKNOWN | — | Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the … | Jul 02, 2026 |
| CVE-2026-50282 | UNKNOWN | — | Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an … | Jul 02, 2026 |
| CVE-2026-50281 | UNKNOWN | — | Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An … | Jul 02, 2026 |
| CVE-2026-44935 | CRITICAL | 9.9 | Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 … | Jul 02, 2026 |
| CVE-2024-58352 | HIGH | 7.5 | Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the … | Jul 02, 2026 |
| CVE-2024-14037 | CRITICAL | 9.8 | Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob … | Jul 02, 2026 |
| CVE-2022-50973 | CRITICAL | 9.8 | Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a … | Jul 02, 2026 |
| CVE-2026-58455 | CRITICAL | 9.8 | Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after … | Jul 02, 2026 |
| CVE-2026-44941 | HIGH | 8.4 | A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious … | Jul 02, 2026 |