Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21951
Total
1564
Critical
6675
High
7022
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-54412 | HIGH | 8.2 | LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker … | Jun 14, 2026 |
| CVE-2026-54411 | MEDIUM | 5.9 | Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker … | Jun 14, 2026 |
| CVE-2026-54410 | HIGH | 8.6 | nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled … | Jun 14, 2026 |
| CVE-2026-11527 | UNKNOWN | — | Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens … | Jun 14, 2026 |
| CVE-2026-11526 | UNKNOWN | — | GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a … | Jun 14, 2026 |
| CVE-2025-15546 | UNKNOWN | — | The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to … | Jun 14, 2026 |
| CVE-2026-54421 | MEDIUM | 6.8 | In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive … | Jun 14, 2026 |
| CVE-2026-54420 | HIGH | 8.5 | LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access … | Jun 14, 2026 |
| CVE-2026-12176 | MEDIUM | 4.3 | A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The impacted element is an unknown function of the … | Jun 14, 2026 |
| CVE-2026-12175 | MEDIUM | 4.7 | A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the … | Jun 13, 2026 |
| CVE-2026-12174 | HIGH | 8.8 | A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. … | Jun 13, 2026 |
| CVE-2026-12183 | CRITICAL | 9.8 | Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php … | Jun 13, 2026 |
| CVE-2026-6428 | HIGH | 7.6 | SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x … | Jun 13, 2026 |
| CVE-2026-5513 | HIGH | 7.2 | The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up … | Jun 13, 2026 |
| CVE-2026-1291 | MEDIUM | 4.3 | The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode … | Jun 13, 2026 |
| CVE-2026-11624 | UNKNOWN | — | The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior … | Jun 13, 2026 |
| CVE-2026-9629 | MEDIUM | 6.4 | The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to … | Jun 13, 2026 |
| CVE-2026-3297 | MEDIUM | 6.4 | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions … | Jun 13, 2026 |
| CVE-2026-2470 | MEDIUM | 4.3 | The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, … | Jun 13, 2026 |
| CVE-2026-9134 | MEDIUM | 6.4 | The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is … | Jun 13, 2026 |
| CVE-2026-9109 | HIGH | 7.2 | The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage … | Jun 13, 2026 |
| CVE-2026-9062 | UNKNOWN | — | The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators … | Jun 13, 2026 |
| CVE-2026-9061 | UNKNOWN | — | The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator … | Jun 13, 2026 |
| CVE-2026-11769 | UNKNOWN | — | We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the … | Jun 13, 2026 |
| CVE-2026-9848 | HIGH | 7.5 | The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 … | Jun 13, 2026 |