Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22874
Total
1630
Critical
7150
High
7293
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-49742 | UNKNOWN | — | Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. … | Jun 09, 2026 |
| CVE-2026-49741 | UNKNOWN | — | Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the … | Jun 09, 2026 |
| CVE-2026-49740 | UNKNOWN | — | TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the … | Jun 09, 2026 |
| CVE-2026-49738 | UNKNOWN | — | The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be … | Jun 09, 2026 |
| CVE-2026-47352 | UNKNOWN | — | Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted … | Jun 09, 2026 |
| CVE-2026-47351 | UNKNOWN | — | Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information … | Jun 09, 2026 |
| CVE-2026-47350 | UNKNOWN | — | Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions … | Jun 09, 2026 |
| CVE-2026-47349 | UNKNOWN | — | Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. … | Jun 09, 2026 |
| CVE-2026-47348 | UNKNOWN | — | Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index … | Jun 09, 2026 |
| CVE-2026-47347 | UNKNOWN | — | Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the … | Jun 09, 2026 |
| CVE-2026-47346 | UNKNOWN | — | Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. … | Jun 09, 2026 |
| CVE-2026-47343 | UNKNOWN | — | Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file … | Jun 09, 2026 |
| CVE-2026-11607 | UNKNOWN | — | Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying … | Jun 09, 2026 |
| CVE-2026-52902 | MEDIUM | 4.7 | A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker … | Jun 09, 2026 |
| CVE-2026-4058 | MEDIUM | 4.3 | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due … | Jun 09, 2026 |
| CVE-2026-46749 | HIGH | 7.5 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a … | Jun 09, 2026 |
| CVE-2026-46748 | HIGH | 8.8 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with … | Jun 09, 2026 |
| CVE-2026-46747 | MEDIUM | 4.3 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in … | Jun 09, 2026 |
| CVE-2026-46746 | HIGH | 8.8 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the … | Jun 09, 2026 |
| CVE-2026-41031 | HIGH | 8.7 | A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to … | Jun 09, 2026 |
| CVE-2026-24349 | HIGH | 7.1 | A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified … | Jun 09, 2026 |
| CVE-2026-10731 | UNKNOWN | — | SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior … | Jun 09, 2026 |
| CVE-2025-40808 | MEDIUM | 6.1 | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC … | Jun 09, 2026 |
| CVE-2025-10263 | CRITICAL | 9.1 | Arm C1-Ultra, C1-Premium, Neoverse V3 & V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1, Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C, … | Jun 09, 2026 |
| CVE-2026-8677 | MEDIUM | 6.4 | The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings … | Jun 09, 2026 |