Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20648
Total
1489
Critical
6270
High
6549
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-53283 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Bounds-check devid in __rlookup_amd_iommu() iommu_device_register() walks every device on the PCI bus via bus_for_each_dev() … | Jun 26, 2026 |
| CVE-2026-53282 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Push kjump return address even for non-kjump kexec The version of purgatory code shipped … | Jun 26, 2026 |
| CVE-2026-53281 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL … | Jun 26, 2026 |
| CVE-2026-53280 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done() Local sashiko review pointed it out that group->domain … | Jun 26, 2026 |
| CVE-2026-53279 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: drm/gma500/oaktrail_lvds: fix hang on init failure The LVDS init code looks up an I2C adapter … | Jun 26, 2026 |
| CVE-2026-53278 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Check whether the config array is allocated before destroying it __destroy_component_cfg() is called to … | Jun 26, 2026 |
| CVE-2026-52785 | CRITICAL | 9.9 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers … | Jun 26, 2026 |
| CVE-2026-52784 | HIGH | 8.8 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This … | Jun 26, 2026 |
| CVE-2026-52783 | HIGH | 8.2 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under … | Jun 26, 2026 |
| CVE-2026-52782 | CRITICAL | 9.9 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access … | Jun 26, 2026 |
| CVE-2026-52781 | MEDIUM | 6.4 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An … | Jun 26, 2026 |
| CVE-2026-52780 | CRITICAL | 9.6 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed … | Jun 26, 2026 |
| CVE-2026-52779 | MEDIUM | 5.4 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner … | Jun 26, 2026 |
| CVE-2026-49991 | HIGH | 8.6 | RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a … | Jun 26, 2026 |
| CVE-2026-49355 | MEDIUM | 4.3 | OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to … | Jun 26, 2026 |
| CVE-2026-47193 | HIGH | 7.5 | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and … | Jun 26, 2026 |
| CVE-2026-46386 | CRITICAL | 9.9 | OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined … | Jun 26, 2026 |
| CVE-2026-44736 | MEDIUM | 6.5 | OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject … | Jun 26, 2026 |
| CVE-2026-44735 | MEDIUM | 6.5 | OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a … | Jun 26, 2026 |
| CVE-2026-44734 | MEDIUM | 6.5 | OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions … | Jun 26, 2026 |
| CVE-2026-44733 | MEDIUM | 5.9 | OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass … | Jun 26, 2026 |
| CVE-2026-44732 | MEDIUM | 4.3 | OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target … | Jun 26, 2026 |
| CVE-2026-44731 | MEDIUM | 4.3 | OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds … | Jun 26, 2026 |
| CVE-2026-44696 | MEDIUM | 5.7 | OpenProject is open-source, web-based project management software. Prior to 17.4.0, OpenProject's rich text (markdown) rendering pipeline uses Sanitize::Config::RELAXED[:css] for inline style sanitization. This configuration permits … | Jun 26, 2026 |
| CVE-2026-32833 | HIGH | 8.8 | Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting … | Jun 26, 2026 |