Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20453
Total
1466
Critical
6211
High
6501
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-71381 | MEDIUM | 6.5 | Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the … | Jun 30, 2026 |
| CVE-2025-71374 | HIGH | 8.1 | picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers … | Jun 30, 2026 |
| CVE-2025-71371 | HIGH | 8.1 | picklescan before 0.0.29 fails to detect malicious pickle files using code.InteractiveInterpreter.runcode in reduce methods. Attackers can craft pickle payloads that bypass picklescan detection and execute … | Jun 30, 2026 |
| CVE-2025-71368 | HIGH | 8.1 | picklescan before 0.0.30 fails to detect the doctest.debug_script function when analyzing pickle files, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle … | Jun 30, 2026 |
| CVE-2025-71363 | HIGH | 8.1 | picklescan before 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle … | Jun 30, 2026 |
| CVE-2025-71355 | UNKNOWN | — | Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. … | Jun 30, 2026 |
| CVE-2025-71352 | HIGH | 8.1 | picklescan before 0.0.29 fails to detect the built-in Python trace.Trace.runctx function when used in pickle file reduce methods, allowing attackers to execute arbitrary code. Remote … | Jun 30, 2026 |
| CVE-2025-71350 | HIGH | 8.1 | picklescan before 0.0.28 fails to detect malicious pickle files using torch.utils.collect_env.run function in reduce methods. Attackers can embed undetected code in pickle files that executes … | Jun 30, 2026 |
| CVE-2025-71349 | HIGH | 8.1 | picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft … | Jun 30, 2026 |
| CVE-2026-58450 | MEDIUM | 4.3 | Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect authenticated victims to attacker-controlled external … | Jun 30, 2026 |
| CVE-2026-58449 | CRITICAL | 9.8 | txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr … | Jun 30, 2026 |
| CVE-2026-58448 | MEDIUM | 6.5 | yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by … | Jun 30, 2026 |
| CVE-2026-58447 | MEDIUM | 6.5 | Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists … | Jun 30, 2026 |
| CVE-2026-58446 | MEDIUM | 6.5 | Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end … | Jun 30, 2026 |
| CVE-2026-57585 | HIGH | 7.5 | MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading … | Jun 30, 2026 |
| CVE-2026-57204 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. Prior to 6.13.3, a maliciously crafted PDF can cause DoS. An attacker who uses this vulnerability … | Jun 30, 2026 |
| CVE-2026-52868 | HIGH | 8.2 | An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental … | Jun 30, 2026 |
| CVE-2026-52196 | HIGH | 7.5 | Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_416f28 component | Jun 30, 2026 |
| CVE-2026-50254 | HIGH | 7.5 | An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly … | Jun 30, 2026 |
| CVE-2026-50003 | CRITICAL | 9.8 | A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative … | Jun 30, 2026 |
| CVE-2026-37106 | CRITICAL | 9.8 | An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed … | Jun 30, 2026 |
| CVE-2026-35505 | HIGH | 7.5 | An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and … | Jun 30, 2026 |
| CVE-2026-11541 | HIGH | 7.4 | IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability. | Jun 30, 2026 |
| CVE-2026-10585 | UNKNOWN | — | A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by … | Jun 30, 2026 |
| CVE-2026-9132 | UNKNOWN | — | A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not … | Jun 30, 2026 |