Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21839
Total
1559
Critical
6635
High
6967
Medium
CVE ID Severity Score Description Published
CVE-2025-71376 HIGH 8.1 picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary … Jun 23, 2026
CVE-2025-71370 HIGH 8.1 picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and … Jun 23, 2026
CVE-2025-71365 HIGH 8.1 picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary … Jun 23, 2026
CVE-2025-71341 HIGH 8.1 picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious … Jun 23, 2026
CVE-2025-71337 HIGH 8.3 Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as … Jun 23, 2026
CVE-2023-54365 HIGH 7.5 Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / … Jun 23, 2026
CVE-2026-4983 MEDIUM 4.1 Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such … Jun 23, 2026
CVE-2026-11374 CRITICAL 9.0 In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an … Jun 23, 2026
CVE-2026-9733 CRITICAL 9.1 Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to … Jun 23, 2026
CVE-2026-10521 HIGH 7.2 An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This … Jun 23, 2026
CVE-2026-8379 HIGH 7.5 The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to … Jun 23, 2026
CVE-2026-8378 MEDIUM 5.4 The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it … Jun 23, 2026
CVE-2026-8172 HIGH 7.1 The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, … Jun 23, 2026
CVE-2026-8163 HIGH 8.8 The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL … Jun 23, 2026
CVE-2026-7842 MEDIUM 6.8 The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), … Jun 23, 2026
CVE-2026-12866 CRITICAL 9.8 All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions … Jun 23, 2026
CVE-2026-55655 MEDIUM 5.0 A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by … Jun 23, 2026
CVE-2026-55654 LOW 3.7 A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators … Jun 23, 2026
CVE-2026-55653 MEDIUM 4.3 A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This … Jun 23, 2026
CVE-2026-11833 UNKNOWN Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This … Jun 23, 2026
CVE-2026-10658 HIGH 7.1 A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing … Jun 23, 2026
CVE-2026-10651 HIGH 7.1 A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains … Jun 23, 2026
CVE-2026-10645 MEDIUM 4.9 Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the … Jun 23, 2026
CVE-2026-54236 MEDIUM 5.3 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that … Jun 22, 2026
CVE-2026-54235 UNKNOWN vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which … Jun 22, 2026