Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20528
Total
1468
Critical
6215
High
6518
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12560 | MEDIUM | 4.4 | The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions … | Jun 30, 2026 |
| CVE-2026-12349 | MEDIUM | 5.3 | The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This … | Jun 30, 2026 |
| CVE-2026-12073 | CRITICAL | 9.8 | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and … | Jun 30, 2026 |
| CVE-2026-11367 | MEDIUM | 6.5 | The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server … | Jun 30, 2026 |
| CVE-2026-14160 | MEDIUM | 5.9 | Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions. This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d. | Jun 30, 2026 |
| CVE-2026-12114 | MEDIUM | 4.4 | The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up … | Jun 30, 2026 |
| CVE-2026-58302 | HIGH | 8.4 | rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a … | Jun 30, 2026 |
| CVE-2026-12243 | HIGH | 7.5 | NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks … | Jun 30, 2026 |
| CVE-2026-8023 | HIGH | 7.5 | Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this … | Jun 29, 2026 |
| CVE-2026-7656 | HIGH | 8.1 | The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 … | Jun 29, 2026 |
| CVE-2026-51219 | MEDIUM | 6.5 | A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted … | Jun 29, 2026 |
| CVE-2026-51218 | MEDIUM | 6.5 | A heap buffer overflow in the TS7Worker::PerformFunctionWrite() function (/core/s7_server.cpp) of snap7 v1.4.3 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | Jun 29, 2026 |
| CVE-2026-10648 | MEDIUM | 6.2 | mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, … | Jun 29, 2026 |
| CVE-2026-57997 | MEDIUM | 4.8 | Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing … | Jun 29, 2026 |
| CVE-2026-51221 | HIGH | 7.5 | A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to cause a Denial of Service (DoS) via supplying a crafted … | Jun 29, 2026 |
| CVE-2026-34592 | HIGH | 7.7 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to … | Jun 29, 2026 |
| CVE-2026-10647 | MEDIUM | 5.3 | The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still … | Jun 29, 2026 |
| CVE-2026-55957 | HIGH | 7.3 | Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided … | Jun 29, 2026 |
| CVE-2026-55956 | MEDIUM | 6.5 | Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of … | Jun 29, 2026 |
| CVE-2026-55955 | MEDIUM | 6.5 | Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through … | Jun 29, 2026 |
| CVE-2026-55276 | CRITICAL | 9.1 | Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. … | Jun 29, 2026 |
| CVE-2026-53434 | CRITICAL | 9.1 | Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 … | Jun 29, 2026 |
| CVE-2026-53404 | HIGH | 7.3 | Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were … | Jun 29, 2026 |
| CVE-2026-50229 | MEDIUM | 6.1 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache … | Jun 29, 2026 |
| CVE-2026-41896 | HIGH | 7.5 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which … | Jun 29, 2026 |