Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21987
Total
1565
Critical
6684
High
7043
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-46690 | MEDIUM | 5.8 | unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At … | Jun 12, 2026 |
| CVE-2026-45833 | UNKNOWN | — | A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server … | Jun 12, 2026 |
| CVE-2026-45832 | UNKNOWN | — | All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls … | Jun 12, 2026 |
| CVE-2026-45831 | UNKNOWN | — | The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks … | Jun 12, 2026 |
| CVE-2026-45830 | UNKNOWN | — | A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or … | Jun 12, 2026 |
| CVE-2026-44976 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has … | Jun 12, 2026 |
| CVE-2026-44975 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. … | Jun 12, 2026 |
| CVE-2026-44967 | MEDIUM | 5.3 | OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector … | Jun 12, 2026 |
| CVE-2026-44208 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to … | Jun 12, 2026 |
| CVE-2026-44207 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration … | Jun 12, 2026 |
| CVE-2026-44206 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has … | Jun 12, 2026 |
| CVE-2026-40677 | UNKNOWN | — | The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution. | Jun 12, 2026 |
| CVE-2026-8694 | MEDIUM | 5.3 | Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints. | Jun 12, 2026 |
| CVE-2026-7368 | HIGH | 8.1 | The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can … | Jun 12, 2026 |
| CVE-2026-6853 | CRITICAL | 9.8 | Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This … | Jun 12, 2026 |
| CVE-2026-6211 | HIGH | 8.7 | Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs. This issue … | Jun 12, 2026 |
| CVE-2026-54133 | CRITICAL | 9.8 | jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. … | Jun 12, 2026 |
| CVE-2026-53787 | CRITICAL | 9.8 | Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to … | Jun 12, 2026 |
| CVE-2026-53722 | UNKNOWN | — | Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound … | Jun 12, 2026 |
| CVE-2026-53721 | UNKNOWN | — | Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware … | Jun 12, 2026 |
| CVE-2026-47739 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This … | Jun 12, 2026 |
| CVE-2026-47244 | MEDIUM | 5.3 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and … | Jun 12, 2026 |
| CVE-2026-47210 | CRITICAL | 9.8 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host … | Jun 12, 2026 |
| CVE-2026-47209 | HIGH | 8.6 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally … | Jun 12, 2026 |
| CVE-2026-47208 | CRITICAL | 10.0 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code … | Jun 12, 2026 |