Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23873
Total
1707
Critical
7489
High
7624
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-10244 | LOW | 3.5 | A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function create_medicine_name of the file /ShowForm/create_medicine_name/main. Performing … | Jun 01, 2026 |
| CVE-2026-9024 | HIGH | 8.7 | A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow … | Jun 01, 2026 |
| CVE-2026-8474 | MEDIUM | 5.3 | A vulnerability was discovered on Stormshield Network Security * 4.3.0 to 4.3.41, * 4.8.0 to 4.8.15, * 5.0.0 to 5.0.5 It is possible to execute … | Jun 01, 2026 |
| CVE-2026-7858 | CRITICAL | 9.8 | A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA … | Jun 01, 2026 |
| CVE-2026-49361 | HIGH | 7.5 | Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap … | Jun 01, 2026 |
| CVE-2026-49298 | UNKNOWN | — | A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker … | Jun 01, 2026 |
| CVE-2026-49270 | MEDIUM | 5.9 | Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with … | Jun 01, 2026 |
| CVE-2026-49267 | UNKNOWN | — | Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] … | Jun 01, 2026 |
| CVE-2026-49157 | HIGH | 8.8 | Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin … | Jun 01, 2026 |
| CVE-2026-48827 | HIGH | 7.1 | Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH … | Jun 01, 2026 |
| CVE-2026-48726 | UNKNOWN | — | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow … | Jun 01, 2026 |
| CVE-2026-46764 | MEDIUM | 4.3 | The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, … | Jun 01, 2026 |
| CVE-2026-46605 | MEDIUM | 4.3 | Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache … | Jun 01, 2026 |
| CVE-2026-45505 | HIGH | 8.8 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such … | Jun 01, 2026 |
| CVE-2026-45426 | LOW | 3.1 | Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log … | Jun 01, 2026 |
| CVE-2026-45360 | UNKNOWN | — | Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG … | Jun 01, 2026 |
| CVE-2026-44825 | HIGH | 8.1 | Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to … | Jun 01, 2026 |
| CVE-2026-42588 | HIGH | 8.1 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes … | Jun 01, 2026 |
| CVE-2026-42360 | MEDIUM | 6.5 | A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON … | Jun 01, 2026 |
| CVE-2026-42359 | UNKNOWN | — | A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom … | Jun 01, 2026 |
| CVE-2026-42358 | MEDIUM | 6.5 | A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when … | Jun 01, 2026 |
| CVE-2026-42253 | MEDIUM | 6.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API … | Jun 01, 2026 |
| CVE-2026-42252 | UNKNOWN | — | Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization … | Jun 01, 2026 |
| CVE-2026-41084 | UNKNOWN | — | A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the … | Jun 01, 2026 |
| CVE-2026-41017 | MEDIUM | 5.9 | Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. … | Jun 01, 2026 |