Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10238
Total
701
Critical
2952
High
3222
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42186 | UNKNOWN | — | OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all … | May 14, 2026 |
| CVE-2026-41937 | HIGH | 7.2 | Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading … | May 14, 2026 |
| CVE-2026-41935 | HIGH | 7.1 | Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion … | May 14, 2026 |
| CVE-2026-41933 | MEDIUM | 5.3 | Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper … | May 14, 2026 |
| CVE-2026-41932 | MEDIUM | 6.1 | Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the … | May 14, 2026 |
| CVE-2026-24712 | UNKNOWN | — | Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection. | May 14, 2026 |
| CVE-2026-24711 | UNKNOWN | — | Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control. | May 14, 2026 |
| CVE-2026-24710 | MEDIUM | 6.1 | Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS. | May 14, 2026 |
| CVE-2026-21730 | UNKNOWN | — | Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using … | May 14, 2026 |
| CVE-2025-69443 | UNKNOWN | — | Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the … | May 14, 2026 |
| CVE-2025-62628 | UNKNOWN | — | Unsafe OpenSSL initialization within some AMD optional tools may allow a local user-privileged attacker to inject a malicious DLL, potentially resulting in arbitrary code execution. | May 14, 2026 |
| CVE-2025-62625 | UNKNOWN | — | Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access … | May 14, 2026 |
| CVE-2025-62619 | UNKNOWN | — | Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading … | May 14, 2026 |
| CVE-2026-6638 | LOW | 3.7 | SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. … | May 14, 2026 |
| CVE-2026-6637 | HIGH | 8.8 | Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A … | May 14, 2026 |
| CVE-2026-6575 | MEDIUM | 4.3 | Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows … | May 14, 2026 |
| CVE-2026-6479 | HIGH | 7.5 | Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. … | May 14, 2026 |
| CVE-2026-6478 | MEDIUM | 6.5 | Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect … | May 14, 2026 |
| CVE-2026-6477 | HIGH | 8.8 | Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client … | May 14, 2026 |
| CVE-2026-6476 | HIGH | 7.2 | SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next … | May 14, 2026 |
| CVE-2026-6475 | HIGH | 8.8 | Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system … | May 14, 2026 |
| CVE-2026-6474 | MEDIUM | 4.3 | Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, … | May 14, 2026 |
| CVE-2026-6473 | HIGH | 8.8 | Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may … | May 14, 2026 |
| CVE-2026-6472 | MEDIUM | 5.4 | Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That … | May 14, 2026 |
| CVE-2026-1630 | UNKNOWN | — | WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when … | May 14, 2026 |