Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23657
Total
1684
Critical
7428
High
7547
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-49189 | HIGH | 7.8 | Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations. | Jun 04, 2026 |
| CVE-2026-49188 | CRITICAL | 9.8 | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root … | Jun 04, 2026 |
| CVE-2026-49187 | HIGH | 7.5 | The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse. | Jun 04, 2026 |
| CVE-2026-10805 | MEDIUM | 6.7 | A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A … | Jun 04, 2026 |
| CVE-2026-49186 | CRITICAL | 9.8 | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to … | Jun 04, 2026 |
| CVE-2026-49185 | CRITICAL | 9.8 | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. | Jun 04, 2026 |
| CVE-2026-48681 | MEDIUM | 5.9 | OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image. | Jun 04, 2026 |
| CVE-2026-44917 | MEDIUM | 4.9 | OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template. | Jun 04, 2026 |
| CVE-2026-41283 | CRITICAL | 9.9 | OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to … | Jun 04, 2026 |
| CVE-2026-41010 | HIGH | 8.2 | ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array … | Jun 04, 2026 |
| CVE-2026-8829 | HIGH | 7.5 | HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV … | Jun 04, 2026 |
| CVE-2026-41860 | HIGH | 8.8 | CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an … | Jun 04, 2026 |
| CVE-2026-41859 | HIGH | 7.8 | A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with … | Jun 04, 2026 |
| CVE-2026-41858 | HIGH | 7.5 | Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a … | Jun 04, 2026 |
| CVE-2026-41011 | HIGH | 8.2 | PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The … | Jun 04, 2026 |
| CVE-2026-10597 | MEDIUM | 5.3 | OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email … | Jun 04, 2026 |
| CVE-2026-8653 | MEDIUM | 6.5 | The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, … | Jun 04, 2026 |
| CVE-2026-7764 | MEDIUM | 6.8 | An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker … | Jun 04, 2026 |
| CVE-2026-10737 | HIGH | 7.5 | The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in … | Jun 04, 2026 |
| CVE-2026-8722 | MEDIUM | 6.5 | Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources … | Jun 04, 2026 |
| CVE-2026-10783 | LOW | 2.5 | A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function save_audio_to_cache of the component Audio Cache Key Handler. Performing a manipulation … | Jun 04, 2026 |
| CVE-2026-2596 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Jun 03, 2026 |
| CVE-2026-10777 | HIGH | 7.3 | A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component … | Jun 03, 2026 |
| CVE-2026-10775 | LOW | 3.6 | A vulnerability was determined in sgl-project SGLang up to 0.5.11. Affected by this vulnerability is the function data_hash of the component Cache Handler. This manipulation … | Jun 03, 2026 |
| CVE-2026-46447 | MEDIUM | 5.8 | OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. | Jun 03, 2026 |