Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21839
Total
1559
Critical
6635
High
6967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-71376 | HIGH | 8.1 | picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary … | Jun 23, 2026 |
| CVE-2025-71370 | HIGH | 8.1 | picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and … | Jun 23, 2026 |
| CVE-2025-71365 | HIGH | 8.1 | picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary … | Jun 23, 2026 |
| CVE-2025-71341 | HIGH | 8.1 | picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious … | Jun 23, 2026 |
| CVE-2025-71337 | HIGH | 8.3 | Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as … | Jun 23, 2026 |
| CVE-2023-54365 | HIGH | 7.5 | Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / … | Jun 23, 2026 |
| CVE-2026-4983 | MEDIUM | 4.1 | Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such … | Jun 23, 2026 |
| CVE-2026-11374 | CRITICAL | 9.0 | In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an … | Jun 23, 2026 |
| CVE-2026-9733 | CRITICAL | 9.1 | Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to … | Jun 23, 2026 |
| CVE-2026-10521 | HIGH | 7.2 | An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This … | Jun 23, 2026 |
| CVE-2026-8379 | HIGH | 7.5 | The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to … | Jun 23, 2026 |
| CVE-2026-8378 | MEDIUM | 5.4 | The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it … | Jun 23, 2026 |
| CVE-2026-8172 | HIGH | 7.1 | The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, … | Jun 23, 2026 |
| CVE-2026-8163 | HIGH | 8.8 | The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL … | Jun 23, 2026 |
| CVE-2026-7842 | MEDIUM | 6.8 | The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), … | Jun 23, 2026 |
| CVE-2026-12866 | CRITICAL | 9.8 | All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions … | Jun 23, 2026 |
| CVE-2026-55655 | MEDIUM | 5.0 | A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by … | Jun 23, 2026 |
| CVE-2026-55654 | LOW | 3.7 | A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators … | Jun 23, 2026 |
| CVE-2026-55653 | MEDIUM | 4.3 | A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This … | Jun 23, 2026 |
| CVE-2026-11833 | UNKNOWN | — | Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This … | Jun 23, 2026 |
| CVE-2026-10658 | HIGH | 7.1 | A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing … | Jun 23, 2026 |
| CVE-2026-10651 | HIGH | 7.1 | A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains … | Jun 23, 2026 |
| CVE-2026-10645 | MEDIUM | 4.9 | Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the … | Jun 23, 2026 |
| CVE-2026-54236 | MEDIUM | 5.3 | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that … | Jun 22, 2026 |
| CVE-2026-54235 | UNKNOWN | — | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which … | Jun 22, 2026 |