Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23813
Total
1705
Critical
7468
High
7599
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-7666 | LOW | 3.1 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after … | Jun 03, 2026 |
| CVE-2026-6873 | LOW | 3.1 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name … | Jun 03, 2026 |
| CVE-2026-5241 | HIGH | 8.0 | A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The … | Jun 03, 2026 |
| CVE-2026-48587 | LOW | 3.1 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` … | Jun 03, 2026 |
| CVE-2026-47325 | UNKNOWN | — | ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The … | Jun 03, 2026 |
| CVE-2026-47324 | UNKNOWN | — | ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) … | Jun 03, 2026 |
| CVE-2026-44546 | LOW | 3.7 | daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat … | Jun 03, 2026 |
| CVE-2026-44545 | MEDIUM | 5.3 | daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could … | Jun 03, 2026 |
| CVE-2026-37460 | UNKNOWN | — | Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying … | Jun 03, 2026 |
| CVE-2026-35193 | LOW | 3.1 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header … | Jun 03, 2026 |
| CVE-2026-10729 | UNKNOWN | — | An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site … | Jun 03, 2026 |
| CVE-2025-70101 | MEDIUM | 6.5 | An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a … | Jun 03, 2026 |
| CVE-2025-70100 | MEDIUM | 5.5 | A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a … | Jun 03, 2026 |
| CVE-2025-60477 | MEDIUM | 5.0 | A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying … | Jun 03, 2026 |
| CVE-2024-47273 | MEDIUM | 4.3 | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote … | Jun 03, 2026 |
| CVE-2024-47263 | MEDIUM | 4.1 | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote … | Jun 03, 2026 |
| CVE-2023-52951 | MEDIUM | 5.9 | A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. | Jun 03, 2026 |
| CVE-2022-49042 | HIGH | 7.8 | An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute … | Jun 03, 2026 |
| CVE-2022-49036 | HIGH | 7.8 | An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local … | Jun 03, 2026 |
| CVE-2026-35085 | HIGH | 8.8 | A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root. | Jun 03, 2026 |
| CVE-2026-35084 | HIGH | 8.8 | A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root. | Jun 03, 2026 |
| CVE-2026-35083 | HIGH | 8.8 | A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root. | Jun 03, 2026 |
| CVE-2026-35082 | HIGH | 8.8 | The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input. | Jun 03, 2026 |
| CVE-2026-35081 | HIGH | 8.1 | The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input. | Jun 03, 2026 |
| CVE-2026-35080 | HIGH | 8.1 | The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | Jun 03, 2026 |