Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

20470
Total
1466
Critical
6212
High
6509
Medium
CVE ID Severity Score Description Published
CVE-2026-11714 HIGH 8.5 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled. Jun 30, 2026
CVE-2026-11712 CRITICAL 9.3 IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system. Jun 30, 2026
CVE-2026-11708 CRITICAL 9.3 IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system. Jun 30, 2026
CVE-2026-11595 MEDIUM 4.3 IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system. Jun 30, 2026
CVE-2026-11546 HIGH 7.1 IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled. Jun 30, 2026
CVE-2026-10564 HIGH 8.2 IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP … Jun 30, 2026
CVE-2026-10560 HIGH 8.2 IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or … Jun 30, 2026
CVE-2026-10546 HIGH 7.1 IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) … Jun 30, 2026
CVE-2026-10140 CRITICAL 9.6 IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can … Jun 30, 2026
CVE-2026-10134 CRITICAL 10.0 IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, … Jun 30, 2026
CVE-2026-10129 HIGH 8.5 IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level … Jun 30, 2026
CVE-2026-10109 CRITICAL 9.8 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling. Jun 30, 2026
CVE-2025-36372 MEDIUM 5.5 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated … Jun 30, 2026
CVE-2026-58138 CRITICAL 9.8 Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow … Jun 30, 2026
CVE-2026-10513 HIGH 7.2 The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. … Jun 30, 2026
CVE-2026-9263 MEDIUM 6.5 The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification … Jun 30, 2026
CVE-2026-8864 UNKNOWN The HP Fan Control App might allow local escalation of privileges. An updated version of HP Fan Control App has been released to mitigate this … Jun 30, 2026
CVE-2026-58377 HIGH 8.1 JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI … Jun 30, 2026
CVE-2026-58376 HIGH 7.6 Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious … Jun 30, 2026
CVE-2026-58375 HIGH 7.5 JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export … Jun 30, 2026
CVE-2026-58373 MEDIUM 4.3 CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting … Jun 30, 2026
CVE-2026-58372 HIGH 8.1 SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket … Jun 30, 2026
CVE-2026-58371 LOW 3.1 SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no callback-name validation, … Jun 30, 2026
CVE-2026-58370 HIGH 8.1 Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) … Jun 30, 2026
CVE-2026-58369 MEDIUM 5.3 Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the … Jun 30, 2026