Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20386
Total
1466
Critical
6177
High
6480
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-53326 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: debugobjects: Don't call fill_pool() in early boot hardirq context When booting a debug PREEMPT_RT kernel … | Jul 01, 2026 |
| CVE-2026-13603 | UNKNOWN | — | The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following … | Jul 01, 2026 |
| CVE-2026-8387 | LOW | 2.4 | A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting `.zip` archives using the `ZipFile.extractall()` method in `StorageManager._extract_to_cache()`. … | Jul 01, 2026 |
| CVE-2026-5120 | HIGH | 8.1 | A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user. | Jul 01, 2026 |
| CVE-2026-53909 | UNKNOWN | — | MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged … | Jul 01, 2026 |
| CVE-2026-53908 | UNKNOWN | — | MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset … | Jul 01, 2026 |
| CVE-2026-53907 | UNKNOWN | — | MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can … | Jul 01, 2026 |
| CVE-2026-53906 | UNKNOWN | — | MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter … | Jul 01, 2026 |
| CVE-2026-53905 | UNKNOWN | — | MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. … | Jul 01, 2026 |
| CVE-2026-53904 | UNKNOWN | — | MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as … | Jul 01, 2026 |
| CVE-2026-53903 | UNKNOWN | — | MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user … | Jul 01, 2026 |
| CVE-2026-53902 | UNKNOWN | — | MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege … | Jul 01, 2026 |
| CVE-2026-14198 | CRITICAL | 9.1 | @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding … | Jul 01, 2026 |
| CVE-2026-14181 | HIGH | 7.5 | @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. … | Jul 01, 2026 |
| CVE-2026-13323 | MEDIUM | 4.1 | In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. … | Jul 01, 2026 |
| CVE-2026-14258 | MEDIUM | 6.5 | A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can … | Jul 01, 2026 |
| CVE-2026-13228 | HIGH | 8.8 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and … | Jul 01, 2026 |
| CVE-2026-12142 | HIGH | 7.2 | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up … | Jul 01, 2026 |
| CVE-2026-10095 | MEDIUM | 6.4 | The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, … | Jul 01, 2026 |
| CVE-2026-27435 | MEDIUM | 5.3 | Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33. | Jul 01, 2026 |
| CVE-2026-13454 | MEDIUM | 6.5 | The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 … | Jul 01, 2026 |
| CVE-2026-12754 | MEDIUM | 6.1 | The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, … | Jul 01, 2026 |
| CVE-2026-56016 | MEDIUM | 5.9 | CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of … | Jul 01, 2026 |
| CVE-2026-50043 | HIGH | 7.2 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary … | Jul 01, 2026 |
| CVE-2026-13733 | MEDIUM | 6.4 | The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due … | Jul 01, 2026 |