Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22374
Total
1599
Critical
6838
High
7169
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-52755 | HIGH | 7.8 | Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers … | Jun 10, 2026 |
| CVE-2026-52754 | HIGH | 8.8 | Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate() that allows any user with a valid CA-signed certificate to impersonate other users by presenting … | Jun 10, 2026 |
| CVE-2026-52753 | MEDIUM | 5.5 | Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers without size limits. Attackers can craft malicious Rust symbol … | Jun 10, 2026 |
| CVE-2026-52752 | HIGH | 7.8 | Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious … | Jun 10, 2026 |
| CVE-2026-52751 | HIGH | 8.8 | Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious … | Jun 10, 2026 |
| CVE-2026-52750 | HIGH | 7.8 | Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary … | Jun 10, 2026 |
| CVE-2026-49498 | HIGH | 8.8 | Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into … | Jun 10, 2026 |
| CVE-2026-49497 | LOW | 3.3 | Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers … | Jun 10, 2026 |
| CVE-2026-49496 | MEDIUM | 6.1 | Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by … | Jun 10, 2026 |
| CVE-2026-49495 | MEDIUM | 5.5 | Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O … | Jun 10, 2026 |
| CVE-2026-49069 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS. This issue affects WPZOOM Portfolio: from n/a through … | Jun 10, 2026 |
| CVE-2025-71330 | HIGH | 7.5 | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted … | Jun 10, 2026 |
| CVE-2025-71329 | HIGH | 7.5 | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted … | Jun 10, 2026 |
| CVE-2024-58350 | LOW | 2.9 | Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. … | Jun 10, 2026 |
| CVE-2026-24067 | HIGH | 8.4 | Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by … | Jun 10, 2026 |
| CVE-2026-24066 | HIGH | 8.4 | Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by … | Jun 10, 2026 |
| CVE-2026-11859 | UNKNOWN | — | An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that … | Jun 10, 2026 |
| CVE-2026-3018 | HIGH | 7.5 | The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to … | Jun 10, 2026 |
| CVE-2026-11853 | MEDIUM | 6.5 | Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that … | Jun 10, 2026 |
| CVE-2026-11852 | MEDIUM | 6.5 | Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create … | Jun 10, 2026 |
| CVE-2025-6254 | CRITICAL | 9.8 | The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() … | Jun 10, 2026 |
| CVE-2026-9019 | MEDIUM | 6.4 | The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, … | Jun 10, 2026 |
| CVE-2026-8853 | MEDIUM | 4.4 | The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 … | Jun 10, 2026 |
| CVE-2026-8613 | MEDIUM | 6.4 | The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, … | Jun 10, 2026 |
| CVE-2026-10721 | UNKNOWN | — | Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may … | Jun 10, 2026 |