Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21246
Total
1526
Critical
6466
High
6753
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-55653 | MEDIUM | 4.3 | A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This … | Jun 23, 2026 |
| CVE-2026-11833 | UNKNOWN | — | Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This … | Jun 23, 2026 |
| CVE-2026-10658 | HIGH | 7.1 | A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing … | Jun 23, 2026 |
| CVE-2026-10651 | HIGH | 7.1 | A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains … | Jun 23, 2026 |
| CVE-2026-10645 | MEDIUM | 4.9 | Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the … | Jun 23, 2026 |
| CVE-2026-54236 | MEDIUM | 5.3 | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that … | Jun 22, 2026 |
| CVE-2026-54235 | UNKNOWN | — | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which … | Jun 22, 2026 |
| CVE-2026-54233 | MEDIUM | 6.5 | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded … | Jun 22, 2026 |
| CVE-2026-54232 | HIGH | 8.8 | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack … | Jun 22, 2026 |
| CVE-2026-53923 | UNKNOWN | — | vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM's GGUF dequantize … | Jun 22, 2026 |
| CVE-2026-48746 | CRITICAL | 9.1 | vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust … | Jun 22, 2026 |
| CVE-2026-47155 | MEDIUM | 6.5 | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all … | Jun 22, 2026 |
| CVE-2026-41523 | HIGH | 7.5 | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows … | Jun 22, 2026 |
| CVE-2026-12863 | UNKNOWN | — | An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains. | Jun 22, 2026 |
| CVE-2026-12862 | UNKNOWN | — | Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the … | Jun 22, 2026 |
| CVE-2026-12581 | HIGH | 7.5 | EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain … | Jun 22, 2026 |
| CVE-2026-12580 | MEDIUM | 5.4 | EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon … | Jun 22, 2026 |
| CVE-2025-4994 | UNKNOWN | — | The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication … | Jun 22, 2026 |
| CVE-2023-45796 | HIGH | 8.1 | A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged … | Jun 22, 2026 |
| CVE-2023-45795 | HIGH | 7.8 | A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full … | Jun 22, 2026 |
| CVE-2026-54665 | UNKNOWN | — | Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header … | Jun 22, 2026 |
| CVE-2026-44914 | UNKNOWN | — | Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. … | Jun 22, 2026 |
| CVE-2026-44913 | UNKNOWN | — | Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. … | Jun 22, 2026 |
| CVE-2026-44911 | UNKNOWN | — | Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed … | Jun 22, 2026 |
| CVE-2025-66336 | UNKNOWN | — | Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, … | Jun 22, 2026 |