CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading 02.06.2026 9.3
CVE-2026-7198 CWE-284: Improper Access Control in web services in Progress Sitefinity 02.06.2026 9.8
CVE-2026-7312 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity 02.06.2026 10
CVE-2026-42684 WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability 02.06.2026 9.3
CVE-2025-53209 WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability 02.06.2026 9.8
CVE-2026-34906 Server-Side Template Injection (SSTI) in Wirtualna Uczelnia 02.06.2026 9.3
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' 02.06.2026 9.8
CVE-2026-25879 Langroid has Prompt to SQL Injection, Leading to RCE 01.06.2026 9.8
CVE-2018-25427 Arm Whois 3.11 Buffer Overflow via SEH Overwrite 02.06.2026 9.3
CVE-2026-40965 02.06.2026 10
CVE-2026-0072 01.06.2026 10
CVE-2026-49121 AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization 01.06.2026 9.2
CVE-2026-8644 IBM WebSphere Application Server is affected by an identity spoofing vulnerability 01.06.2026 9.1
CVE-2026-9311 IBM WebSphere Application Server is affected by remote code execution 02.06.2026 9
CVE-2026-9319 IBM WebSphere Application Server is affected by a remote code execution vulnerability 02.06.2026 9
CVE-2026-42672 WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability 01.06.2026 9.3
CVE-2026-44211 Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability 01.06.2026 9.6
CVE-2026-45131 CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests 01.06.2026 10
CVE-2026-45132 CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling 01.06.2026 10
CVE-2026-0826 Poly Voice – Possible Remote Control of Certain Poly Devices 01.06.2026 9.2
CVE-2026-42680 WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability 01.06.2026 9.8
CVE-2026-42682 WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability 01.06.2026 9.1
CVE-2026-48866 WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability 01.06.2026 9.6
CVE-2026-48879 WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability 01.06.2026 9.8
CVE-2026-8931 Critical RCE vulnerability in Disig Web Signer 01.06.2026 9.4
CVE-2026-7858 Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x 01.06.2026 9.8
CVE-2026-48188 SQL Injection via MySQL Quote Method 01.06.2026 9.1
CVE-2026-10187 Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow 02.06.2026 9.3
CVE-2018-25412 Delta Sql 1.8.2 Arbitrary File Upload via docs_upload.php 02.06.2026 9.3
CVE-2026-45372 cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection 01.06.2026 9.9
CVE-2026-45697 Formie: Pre-authenticated server-side template injection in Hidden fields 01.06.2026 9.8
CVE-2026-44649 SillyTavern: Authentication Bypass via SSO Header Injection 02.06.2026 9.8
CVE-2026-44650 SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 29.05.2026 9.1
CVE-2026-47744 Shopper: Authorization bypass and RBAC privilege escalation in team settings 29.05.2026 9.9
CVE-2026-9051 Authentication Bypass Vulnerability in NI SystemLink Enterprise 29.05.2026 9.3
CVE-2026-45625 Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs 01.06.2026 9.9
CVE-2026-45628 Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline 29.05.2026 9.6
CVE-2026-45629 Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint 02.06.2026 9.9
CVE-2026-45630 Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement 01.06.2026 9
CVE-2026-45631 Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret 01.06.2026 10
CVE-2026-45632 Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution 29.05.2026 9.9
CVE-2026-45633 Dokploy: Command Injection in /docker-container-logs Endpoint 29.05.2026 9.9
CVE-2026-45661 Dokploy: Remote Code Execution through Path Traversal 02.06.2026 9.9
CVE-2026-45668 Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled) 29.05.2026 9.3
CVE-2026-5386 KMW CCTV Security Cameras Unverified Password Change 29.05.2026 9.1
CVE-2026-7786 Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials 29.05.2026 9.8
CVE-2026-44962 29.05.2026 10
CVE-2026-45663 Dokploy: Remote Code Execution via destinationPath in Container File Upload 29.05.2026 9.9
CVE-2026-10042 manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model 29.05.2026 9.2
CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators 29.05.2026 9.1
CVE-2026-46376 FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface 29.05.2026 9.3
CVE-2026-10071 Interinfo|DreamMaker - Arbitrary File Upload 29.05.2026 9.3
CVE-2026-45043 RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root 02.06.2026 9.3
CVE-2026-45312 RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution 02.06.2026 9.9
CVE-2026-8326 Remote Spark SparkView Path Traversal in RDP Drive Redirection leading to RCE 29.05.2026 10
CVE-2026-9508 Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar 29.05.2026 10
CVE-2025-41269 29.05.2026 9.3
CVE-2025-41270 29.05.2026 9.3
CVE-2025-41272 29.05.2026 9.3
CVE-2025-41273 29.05.2026 9.3
CVE-2025-41274 29.05.2026 9.3
CVE-2025-41275 29.05.2026 9.3
CVE-2025-41276 29.05.2026 9.3
CVE-2025-41277 29.05.2026 9.3
CVE-2026-9559 29.05.2026 9.9
CVE-2026-49201 Acer Wave 7 router: Hardcoded Cryptographic Key 29.05.2026 10
CVE-2026-9558 29.05.2026 9.9
CVE-2026-49197 Predator Connect W6x: Improper Authentication 29.05.2026 10
CVE-2026-49199 Predator Connect W6x: RCE via MQTT 29.05.2026 10
CVE-2026-49200 Acer Wave 7 router: Broken Access Control 29.05.2026 10
CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification 29.05.2026 9.8
CVE-2026-8732 WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action 29.05.2026 9.8
CVE-2026-8809 Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter 29.05.2026 9.8
CVE-2026-44848 Portainer: Missing authorization on Docker plugin endpoints allows host RCE 01.06.2026 9.4
CVE-2026-44849 Portainer: Endpoint security bypass via Swarm service create/update 29.05.2026 9.4
CVE-2026-34311 29.05.2026 9.8
CVE-2026-45288 Marten has an SQL injection vulnerability in its full-text search regConfig parameter 30.05.2026 9.8
CVE-2026-46775 29.05.2026 9.9
CVE-2026-46817 29.05.2026 9.8
CVE-2026-46819 29.05.2026 9.1
CVE-2026-46822 29.05.2026 9.9
CVE-2026-46824 29.05.2026 9.9
CVE-2026-46833 29.05.2026 9
CVE-2026-46839 29.05.2026 9.9
CVE-2026-46840 29.05.2026 10
CVE-2026-9645 ScadaBR Authenticated Remote Code Execution 29.05.2026 9.9
CVE-2026-9037 Download of code without integrity check in XCharge C6 29.05.2026 9.3
CVE-2026-45039 RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation 30.05.2026 9.8
CVE-2026-43898 SandboxJS: Sandbox escape via Function.caller leakage of internal call op 28.05.2026 10
CVE-2026-45058 electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark 30.05.2026 9.4
CVE-2026-45311 CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval 01.06.2026 9.6
CVE-2026-45323 MeshCore Card: XSS vulnerability through meshcore node name 29.05.2026 9.6
CVE-2026-45353 electerm: Local code through electerm's single-instance socket 28.05.2026 9.3
CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files 30.05.2026 9.6
CVE-2026-24444 SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php 28.05.2026 9.3
CVE-2026-44477 CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE 28.05.2026 9.4
CVE-2026-45261 GitButler: Link injection via forge integration enables arbitrary script execution 30.05.2026 9.3
CVE-2026-44672 mapfish-print: Remote Code Injection (RCE) in Dynamic table 28.05.2026 9.3
CVE-2026-8979 Authentication Bypass 28.05.2026 9.3
CVE-2026-8980 Privilege Escalation 28.05.2026 9.3
CVE-2026-46115 block: add pgmap check to biovec_phys_mergeable 30.05.2026 9.8
CVE-2026-46119 libceph: Fix slab-out-of-bounds access in auth message processing 01.06.2026 9.1
CVE-2026-46135 nvmet-tcp: fix race between ICReq handling and queue teardown 30.05.2026 9.8
CVE-2026-46137 mptcp: pm: ADD_ADDR rtx: fix potential data-race 30.05.2026 9.8
CVE-2026-46155 smb/client: fix out-of-bounds read in smb2_compound_op() 30.05.2026 9.1
CVE-2026-46185 smb/client: fix out-of-bounds read in symlink_data() 01.06.2026 9.1
CVE-2026-46195 smb: client: validate dacloffset before building DACL pointers 30.05.2026 9.8
CVE-2026-4408 Samba: remote code execution in samr 02.06.2026 9
CVE-2026-32998 29.05.2026 9.4
CVE-2026-32999 28.05.2026 9.1
CVE-2026-9739 28.05.2026 9.4
CVE-2026-45083 Goobi viewer: Unauthenticated Solr Streaming Expression Proxy 28.05.2026 9.8
CVE-2026-44590 Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml 28.05.2026 9.3
CVE-2026-8362 Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll 28.05.2026 9.8
CVE-2026-8363 Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll 28.05.2026 9.8
CVE-2026-8364 Gladinet Triofox Missing Authentication for Critical Functions 28.05.2026 9.8
CVE-2026-44887 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path) 28.05.2026 9.8
CVE-2026-44888 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger) 28.05.2026 9.8
CVE-2026-45102 OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion 30.05.2026 9.9
CVE-2026-45087 Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode 28.05.2026 10
CVE-2026-46425 Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users 28.05.2026 9.9
CVE-2026-48150 Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign 27.05.2026 9
CVE-2026-44315 free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions 27.05.2026 9.4
CVE-2026-44326 free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions 27.05.2026 9.4
CVE-2026-44327 free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler 28.05.2026 10
CVE-2026-44329 free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers 28.05.2026 10
CVE-2026-44330 free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions 27.05.2026 10
CVE-2026-48027 Compromised Nx Console version 18.95.0 28.05.2026 9.3
CVE-2026-49103 27.05.2026 9.4
CVE-2026-35087 Authentication Bypass in Slican telephone exchanges 27.05.2026 9.3
CVE-2026-35090 Authentication Bypass in Slican telephone exchanges 27.05.2026 9.3
CVE-2026-45898 RDMA/iwcm: Fix workqueue list corruption by removing work_list 30.05.2026 9.8
CVE-2026-45972 smb: client: fix potential UAF and double free in smb2_open_file() 30.05.2026 9.8
CVE-2026-45988 rxrpc: Fix re-decryption of RESPONSE packets 30.05.2026 9.8
CVE-2026-46039 rxgk: Fix potential integer overflow in length check 30.05.2026 9.8
CVE-2026-46043 RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv 01.06.2026 9.1
CVE-2026-7524 Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution 28.05.2026 9.8
CVE-2026-8175 Multiple vulnerabilities in Aspera applications. 28.05.2026 9.8
CVE-2026-42727 WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42731 WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability 27.05.2026 9.8
CVE-2026-42740 WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42747 WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42748 WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability 27.05.2026 9.9
CVE-2026-42755 WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42756 WordPress QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly plugin <= 3.2.7 - Arbitrary File Deletion vulnerability 27.05.2026 9.9
CVE-2026-42757 WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability 27.05.2026 9.9
CVE-2026-42758 WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability 27.05.2026 9.8
CVE-2026-42761 WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-48906 Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla 27.05.2026 9.3
CVE-2025-12686 27.05.2026 9.8
CVE-2026-49002 Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product 28.05.2026 9.1
CVE-2026-8054 Unauthenticated SQL Injection in dotCMS Publish Audit API 27.05.2026 10
CVE-2026-8760 Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force 27.05.2026 9.8
CVE-2026-9312 Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint 28.05.2026 9.2
CVE-2026-44895 GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools 27.05.2026 9.2
CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan 27.05.2026 9.1
CVE-2026-44449 Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape 27.05.2026 9.1
CVE-2026-44450 Lumiverse: RCE via MCP stdio argument injection 01.06.2026 9.9
CVE-2026-44451 Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass 27.05.2026 9.3
CVE-2026-9642 Delta Electronics DIAView Patch Bypass 26.05.2026 9.8
CVE-2026-3660 IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass 28.05.2026 9.8
CVE-2026-44668 Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates 27.05.2026 9.8
CVE-2026-46624 Twenty: SQL Injection via the timeZone field 26.05.2026 9.9
CVE-2026-47202 Kavita: Pre-Auth Account Takeover 27.05.2026 9.3
CVE-2026-7251 Eppendorf BioFlo 320 Use of hard-coded password 26.05.2026 9.3
CVE-2026-8633 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins 27.05.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2026-10046 Out-of-bounds write in Napoca BIOS INT 0x15 E820 memory map handler (VA-13905) 02.06.2026
CVE-2026-10047 Out-of-bounds write in Napoca real-mode hook handler via guest-controlled SS:SP (VA-13905) 02.06.2026
CVE-2026-10591 Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths 02.06.2026 8.8
CVE-2026-10629 CVE-2026-10629 02.06.2026
CVE-2026-30649 02.06.2026
CVE-2026-30650 02.06.2026
CVE-2026-30652 02.06.2026
CVE-2026-33398 Authenticated users can read hidden forum posts through `/forum/get_quotes` 02.06.2026
CVE-2026-34460 NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping 02.06.2026 5.4
CVE-2026-35716 02.06.2026
CVE-2026-35718 02.06.2026
CVE-2026-38978 02.06.2026
CVE-2026-40619 02.06.2026 7.8
CVE-2026-40780 WordPress BookIt plugin < 2.5.4.1 - Broken Authentication vulnerability 02.06.2026 7.5
CVE-2026-42654 WordPress Wallet System for WooCommerce plugin <= 2.7.5 - Broken Authentication vulnerability 02.06.2026 7.1
CVE-2026-44367 Klaw: user lockout due to case sensitivity inconsistency 02.06.2026 2.7
CVE-2026-45080 Klaw: Improper Access Control Allows Disclosure of Password Hash 02.06.2026
CVE-2026-45553 NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text() 02.06.2026 7.5
CVE-2026-45554 NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes 02.06.2026 5.3
CVE-2026-45676 OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent 02.06.2026 5.5
CVE-2026-45678 OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads 02.06.2026 7.5
CVE-2026-45679 OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages 02.06.2026 6.5
CVE-2026-45680 OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU 02.06.2026 5.9
CVE-2026-45681 OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size 02.06.2026 5.9
CVE-2026-45682 OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals 02.06.2026 5.1
CVE-2026-45683 OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure 02.06.2026 3.8
CVE-2026-45684 OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers 02.06.2026 4.9
CVE-2026-45685 OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages 02.06.2026 7.5
CVE-2026-45686 OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI 02.06.2026 7.5
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading 02.06.2026
CVE-2026-48861 CRLF injection in HTTP/1 request line via unvalidated method in Mint 02.06.2026
CVE-2026-48862 Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency 02.06.2026
CVE-2026-49753 HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing 02.06.2026
CVE-2026-49754 HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation 02.06.2026
CVE-2026-7299 CVE-2026-7299 02.06.2026 6.3
CVE-2026-9522 02.06.2026
CVE-2026-9590 02.06.2026
CVE-2019-25717 Dräger Infinity Delta/Kappa Patient Monitors Unauthenticated Log File Disclosure 02.06.2026
CVE-2019-25719 Dräger Infinity M540 VG4.1.1 Spoofing and DoS via Network Message Handling 02.06.2026
CVE-2025-58707 WordPress Spin theme <= 1.8 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2025-58897 WordPress Fermentio theme <= 1.5.0 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2025-68886 WordPress Cookiteer theme <= 1.4.8 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2025-69369 WordPress Racquet theme <= 1.12.0 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2026-10611 OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled 02.06.2026
CVE-2026-10621 CVE-2026-10621 02.06.2026
CVE-2026-10622 CVE-2026-10622 02.06.2026
CVE-2026-27351 WordPress Crew HRM plugin <= 1.2.2 - Broken Access Control vulnerability 02.06.2026 5.4
CVE-2026-28116 WordPress Progress Planner plugin <= 1.9.0 - Cross Site Scripting (XSS) vulnerability 02.06.2026 5.9
CVE-2026-32250 NamelessMC has Reflected Cross-Site Scripting (XSS) in id parameter of /index.php?route=/queries/user/ 02.06.2026 4.3
CVE-2026-32685 Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write 02.06.2026
CVE-2026-35717 02.06.2026
CVE-2026-39552 WordPress Blueprint theme < 1.1.5 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2026-39553 WordPress WaveRide theme <= 1.4 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2026-39555 WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability 02.06.2026 8.1
CVE-2026-41918 02.06.2026 5.7
CVE-2026-42795 Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root 02.06.2026
CVE-2026-43965 Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion 02.06.2026
CVE-2026-49782 WordPress Elementor Website Builder plugin <= 4.1.0 - Broken Access Control vulnerability 02.06.2026 5.4
CVE-2026-7195 CWE-20: Improper Input Validation in web services in Progress Sitefinity 02.06.2026 8.8
CVE-2026-7198 CWE-284: Improper Access Control in web services in Progress Sitefinity 02.06.2026 9.8
CVE-2026-7201 CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 02.06.2026 8.8
CVE-2026-7312 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity 02.06.2026 10
CVE-2026-7313 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity 02.06.2026 8.7
CVE-2026-9844 Vulnerability in navify® Digital Pathology 02.06.2026
CVE-2025-53440 WordPress Confidant theme <= 1.4 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2025-58024 WordPress Accordion FAQ Plugin <= 2.2.1 - Local File Inclusion Vulnerability 02.06.2026 7.5
CVE-2025-58705 WordPress Crafti theme <= 1.12 - Local File Inclusion vulnerability 02.06.2026 8.1
CVE-2026-39550 WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability 02.06.2026 8.1
CVE-2026-39551 WordPress Töbel theme <= 1.8.1 - PHP Object Injection vulnerability 02.06.2026 8.1
CVE-2026-42669 WordPress EventPrime plugin <= 4.3.2.0 - Broken Access Control vulnerability 02.06.2026 7.5
CVE-2026-42670 WordPress Five Star Restaurant Reservations plugin <= 2.7.14 - Payment Bypass vulnerability 02.06.2026
CVE-2026-42684 WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability 02.06.2026 9.3
CVE-2026-42685 WordPress WP Job Portal plugin <= 2.5.1 - Cross Site Scripting (XSS) vulnerability 02.06.2026 7.1
CVE-2026-8993 Improper URL Handler Processing in D.Launcher 2 enables NTLM Credential Disclosure and SSRF attacks 02.06.2026 6.5
CVE-2025-52759 WordPress Accordion FAQ plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability 02.06.2026 7.1
CVE-2025-52766 WordPress Printeers Print & Ship plugin <= 1.17.0 - Broken Access Control vulnerability 02.06.2026 6.5
CVE-2025-53209 WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability 02.06.2026 9.8
CVE-2025-53302 WordPress Constructor theme <= 1.6.5 - Broken Access Control Vulnerability 02.06.2026 5.3
CVE-2025-53345 WordPress Thim Core plugin <= 2.3.3 - Arbitrary Plugin Installation vulnerability 02.06.2026 8.8
CVE-2025-53346 WordPress Thim Core Plugin <= 2.3.3 - Broken Access Control Vulnerability 02.06.2026 4.3
CVE-2026-10549 Privilege escalation in Yandex Database 02.06.2026
CVE-2026-34906 Server-Side Template Injection (SSTI) in Wirtualna Uczelnia 02.06.2026
CVE-2026-34907 Reflected Cross-Site Scripting (XSS) in Wirtualna Uczelnia 02.06.2026
CVE-2026-41115 Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API 02.06.2026
CVE-2026-46718 Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution 02.06.2026
CVE-2026-5191 Tiled Gallery Carousel Without JetPack <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title' 02.06.2026 5.4
CVE-2026-5422 Path Traversal in jupyter/jupyter 02.06.2026
CVE-2025-5085 wp-nano-ad <= 1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting via blogrole_link Parameter 02.06.2026 5.5
CVE-2026-1450 rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'mode' Parameter 02.06.2026 6.1
CVE-2026-1451 rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'a' Parameter 02.06.2026 6.1
CVE-2026-1784 Ose-cluster-ingress-operator: remote code execution through haproxy configuration injection 02.06.2026
CVE-2026-2382 FPW Category Thumbnails <= 1.9.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'id' Parameter 02.06.2026 6.4
CVE-2026-2425 hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting via 'new_domain' Parameter 02.06.2026 6.1
CVE-2026-3514 Authentication Bypass in prefecthq/prefect 02.06.2026
CVE-2026-3620 Word Replacer <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Replacement' Parameter 02.06.2026 4.4
CVE-2026-4071 BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change 02.06.2026 4.3
CVE-2026-4080 Easy Cart <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 02.06.2026 6.4
CVE-2026-4081 ZeM STL <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 02.06.2026 6.4
CVE-2026-8422 Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update 02.06.2026 4.3
CVE-2026-8885 DeMomentSomTres Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 02.06.2026 6.4
CVE-2026-9234 JTL-Connector for WooCommerce <= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Settings Modification via Multiple Functions 02.06.2026 4.3
CVE-2026-9599 Tectite Forms <= 1.3 - Cross-Site Request Forgery to Settings Update 02.06.2026 4.3
CVE-2026-9722 Laiser Tag <= 1.2.5 - Cross-Site Request Forgery to Plugin Settings Update via Settings Form 02.06.2026 4.3
CVE-2026-9723 Google Plus One Bottom <= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page 02.06.2026 4.3
CVE-2026-9730 Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update 02.06.2026 4.3
CVE-2026-8293 Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip 02.06.2026
CVE-2026-10581 DedeCMS download.php base64_decode server-side request forgery 02.06.2026
CVE-2026-10583 nextlevelbuilder GoClaw TTS Configuration Endpoint tts_config.go import server-side request forgery 02.06.2026
CVE-2026-3198 Improper Access Control in mlflow/mlflow 02.06.2026
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' 02.06.2026 9.8
CVE-2026-10100 Simple Custom Login Page <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting 02.06.2026 4.4
CVE-2026-10510 GeniexWebView XSS in com.transsion.aiassistantlifestyle 02.06.2026
CVE-2026-10565 Open5GS NGAP Handover gmm-sm.c gmm_state_security_mode race condition 02.06.2026
CVE-2026-10566 FoundationAgents MetaGPT schema.py Message.check_instruct_content deserialization 02.06.2026
CVE-2026-10567 1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting 02.06.2026
CVE-2026-10568 itsourcecode Fees Management System manage_payment.php sql injection 02.06.2026
CVE-2026-3722 Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) <= 4.9 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute 02.06.2026 6.4
CVE-2026-3870 02.06.2026 6.5
CVE-2026-3871 02.06.2026 6.5
CVE-2026-10529 westboy CicadasCMS Task Scheduling Management ScheduleJobController.java cross site scripting 02.06.2026
CVE-2026-10548 NousResearch hermes-agent Credential Pool Synchronization credential_pool.py _sync_anthropic_entry_from_credentials_file improper authentication 02.06.2026
CVE-2026-10550 elunez eladmin Application Deployment App.java command injection 02.06.2026
CVE-2026-10558 SourceCodester Pizzafy Ecommerce System index.php file inclusion 02.06.2026
CVE-2026-10559 SourceCodester Pizzafy Ecommerce System index.php file inclusion 02.06.2026
CVE-2026-10514 1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting 01.06.2026
CVE-2026-10528 Orthanc DICOM Server DCMTK FromDcmtkBridge.cpp read stack-based overflow 02.06.2026
CVE-2026-10301 itsourcecode Fees Management System index.php cross site scripting 02.06.2026
CVE-2026-10302 itsourcecode Fees Management System manage_fee.php sql injection 01.06.2026
CVE-2026-9048 Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure 02.06.2026 4.3
CVE-2026-9050 Slider Revolution 6.0.0-6.7.55 and 7.0.0-7.0.14 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Deactivation 02.06.2026 4.3
CVE-2026-10298 ggml-org whisper.cpp ggml.c whisper_model_load null pointer dereference 01.06.2026
CVE-2026-10299 code-projects Online Hospital Management System viewdoctortimings.php resource injection 02.06.2026
CVE-2026-10300 SGLang Inference HTTP Endpoint lora_manager.py assertion 02.06.2026
CVE-2019-25718 Dräger Infinity Explorer C700 Privilege Escalation via Kiosk Mode Bypass 02.06.2026
CVE-2025-59601 Exposure of Sensitive Information Through Metadata in Powerline Communication Firmware 01.06.2026 6.5
CVE-2025-59604 NULL Pointer Dereference in SPS Applications 02.06.2026 7.8
CVE-2025-59605 Out-of-bounds Write in HLOS 02.06.2026 7.8
CVE-2025-59606 NULL Pointer Dereference in HLOS 02.06.2026 7.8
CVE-2025-59609 Buffer Over-read in WLAN Host Communication 01.06.2026 5.5
CVE-2025-59610 Time-of-check Time-of-use (TOCTOU) Race Condition in Camera Driver 02.06.2026 6.4
CVE-2025-59611 Out-of-bounds Write in Core Services 02.06.2026 6.7
CVE-2025-59612 Stack-based Buffer Overflow in Windows Compute 02.06.2026 6.7
CVE-2025-59613 Stack-based Buffer Overflow in Windows Compute 02.06.2026 6.7
CVE-2025-59614 Out-of-bounds Write in Windows Compute 02.06.2026 6.7
CVE-2026-10295 SourceCodester Customer Review App review_app.py get_all_reviews denial of service 01.06.2026
CVE-2026-10296 itsourcecode Fees Management System ajax.php sql injection 02.06.2026
CVE-2026-10297 itsourcecode Fees Management System manage_course.php sql injection 01.06.2026
CVE-2026-24085 Stack-based Buffer Overflow in Display 02.06.2026 7.2
CVE-2026-24087 Improper Validation of Syntactic Correctness of Input in Kernel 02.06.2026 7.2
CVE-2026-24088 Missing Authentication for Critical Function in Boot 02.06.2026 8.2
CVE-2026-24089 Improper Validation of Syntactic Correctness of Input in Kernel 02.06.2026 7.2
CVE-2026-24090 Missing Authentication for Critical Function in HLOS 02.06.2026 7.1
CVE-2026-24091 Improper Validation of Syntactic Correctness of Input in Display 02.06.2026 7.2
CVE-2026-24092 Improper Validation of Syntactic Correctness of Input in Display 02.06.2026 7.2
CVE-2026-24752 Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting 02.06.2026 8.2
CVE-2026-24753 Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key 02.06.2026 6.5
CVE-2026-24754 Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting 01.06.2026 5.4
CVE-2026-24755 Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key 01.06.2026 5.4
CVE-2026-24756 Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key 02.06.2026 4.3
CVE-2026-24761 Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key 02.06.2026 3.7
CVE-2026-24782 Kiteworks Secure Data Forms has a SQL Injection vulnerability 02.06.2026 7.6
CVE-2026-25258 Out-of-bounds Read in DSP Service 02.06.2026 7.8
CVE-2026-25259 Out-of-bounds Write in DSP Service 02.06.2026 7.8
CVE-2026-25260 Time-of-check Time-of-use (TOCTOU) Race Condition in DSP Service 02.06.2026 7.8
CVE-2026-25276 Improper Validation of Array Index in Secure Processor 02.06.2026 8.8
CVE-2026-25277 Buffer Copy Without Checking Size of Input in Secure Processor 02.06.2026 8.8
CVE-2026-25879 Langroid has Prompt to SQL Injection, Leading to RCE 01.06.2026 9.8
CVE-2026-28511 elabftw has entry title leakage through autocompletion search 01.06.2026 4.3
CVE-2018-25427 Arm Whois 3.11 Buffer Overflow via SEH Overwrite 02.06.2026
CVE-2018-25428 Paroiciel 11.20 SQL Injection via tRecIdListe Parameter 01.06.2026
CVE-2018-25429 Paroiciel 11.20 SQL Injection via zProIdPro Parameter 02.06.2026
CVE-2018-25430 Paroiciel 11.20 SQL Injection via eGeqIdEquipe Parameter 01.06.2026
CVE-2018-25431 No-Cms 1.0 SQL Injection via order_by Parameter 01.06.2026
CVE-2018-25432 Arm Whois 3.11 Buffer Overflow via ASLR Bypass 02.06.2026
CVE-2018-25433 Joomla JE Photo Gallery 1.1 SQL Injection via categoryid 02.06.2026
CVE-2018-25434 WP AutoSuggest 0.24 SQL Injection via autosuggest.php 01.06.2026
CVE-2018-25435 ZeusCart 4.0 Deactivate Customer Accounts CSRF 02.06.2026
CVE-2019-25716 Dräger Infinity Delta/Kappa Patient Monitor DoS via Malformed Network Packet 01.06.2026
CVE-2025-22424 01.06.2026
CVE-2025-22426 02.06.2026
CVE-2025-26418 02.06.2026
CVE-2025-32348 02.06.2026
CVE-2025-48570 02.06.2026
CVE-2025-48595 02.06.2026
CVE-2025-48616 01.06.2026
CVE-2025-48648 01.06.2026
CVE-2025-48649 02.06.2026
CVE-2025-48652 02.06.2026
CVE-2026-0009 02.06.2026
CVE-2026-0016 01.06.2026
CVE-2026-0018 01.06.2026
CVE-2026-0036 02.06.2026
CVE-2026-0039 01.06.2026
CVE-2026-0040 01.06.2026
CVE-2026-0041 01.06.2026
CVE-2026-0042 01.06.2026
CVE-2026-0043 01.06.2026
CVE-2026-0044 01.06.2026
CVE-2026-0045 02.06.2026
CVE-2026-0046 01.06.2026
CVE-2026-0048 01.06.2026
CVE-2026-0050 01.06.2026
CVE-2026-0051 01.06.2026
CVE-2026-0052 01.06.2026
CVE-2026-0055 01.06.2026
CVE-2026-0056 01.06.2026
CVE-2026-0059 02.06.2026
CVE-2026-0060 01.06.2026
CVE-2026-0061 02.06.2026
CVE-2026-0067 01.06.2026
CVE-2026-0069 01.06.2026
CVE-2026-0070 01.06.2026
CVE-2026-0074 01.06.2026
CVE-2026-0075 02.06.2026
CVE-2026-0076 02.06.2026
CVE-2026-0077 02.06.2026
CVE-2026-0078 02.06.2026
CVE-2026-0079 01.06.2026
CVE-2026-0080 01.06.2026
CVE-2026-0085 01.06.2026
CVE-2026-0086 01.06.2026
CVE-2026-0087 02.06.2026
CVE-2026-0088 02.06.2026
CVE-2026-0089 02.06.2026
CVE-2026-0091 02.06.2026
CVE-2026-0093 02.06.2026
CVE-2026-0094 02.06.2026
CVE-2026-0095 02.06.2026
CVE-2026-0096 02.06.2026
CVE-2026-0097 02.06.2026
CVE-2026-0098 02.06.2026
CVE-2026-0099 02.06.2026
CVE-2026-0100 02.06.2026
CVE-2026-10290 code-projects Hotel and Tourism Reservation System GET Parameter tour.php sql injection 02.06.2026
CVE-2026-10291 Enderfga claw-orchestrator Session Grep Endpoint embedded-server.ts validateRegex redos 01.06.2026
CVE-2026-10292 UTT HiPER 1200GW formTaskEdit strcpy stack-based overflow 01.06.2026
CVE-2026-10293 UTT HiPER 1200GW formFireWall strcpy stack-based overflow 02.06.2026
CVE-2026-10294 PackageKit API pk-transaction.c g_file_test improper authorization 02.06.2026
CVE-2026-28577 02.06.2026
CVE-2026-28578 01.06.2026
CVE-2026-28580 02.06.2026
CVE-2026-28581 01.06.2026
CVE-2026-28586 01.06.2026
CVE-2026-40964 02.06.2026 7.5
CVE-2026-40965 02.06.2026
CVE-2026-49491 Pixa Bank 2.0 SQL Injection via agence-ajax.php API 02.06.2026
CVE-2021-46747 02.06.2026
CVE-2025-70099 02.06.2026
CVE-2026-10284 DevaslanPHP project-management Livewire ViewTicket.php doDeleteComment improper authorization 01.06.2026
CVE-2026-10285 DevaslanPHP project-management Ticket KanbanScrumHelper.php recordUpdated improper authorization 02.06.2026
CVE-2026-10286 CodeAstro Payroll System home_employee.php sql injection 01.06.2026
CVE-2026-10287 SourceCodester SEO Meta Tag Extractor index.php get_headers server-side request forgery 01.06.2026
CVE-2026-10288 code-projects Hotel and Tourism Reservation System Admin Login login.php password_verify improper authentication 02.06.2026
CVE-2026-10289 code-projects Hotel and Tourism Reservation System tour.php cross site scripting 02.06.2026
CVE-2026-24751 Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting 02.06.2026 8.2
CVE-2026-37234 02.06.2026
CVE-2026-49134 CodexBar < 0.32.0 Privilege Escalation via CLI Installer Temp File 02.06.2026
CVE-2026-49135 CodexBar < 0.32.0 Insecure Temporary File Handling in Notarization Workflow 02.06.2026
CVE-2026-49136 Banana Slides 0.4.0 Path Traversal via generate_image() in ai_service.py 01.06.2026
CVE-2026-49138 Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following 02.06.2026
CVE-2026-49139 Nanobot < 0.2.1 SSRF via Microsoft Teams Channel serviceUrl Poisoning 01.06.2026
CVE-2026-49140 Nanobot < 0.2.1 Denial of Service via Matrix Media Download Handler 02.06.2026
CVE-2026-49433 DeepAI api.deepai.org/change_user_email CSRF 01.06.2026
CVE-2026-5419 Guntls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal 02.06.2026
CVE-2024-52011 launch-editor vulnerable to command injection via the crafted request on Windows 02.06.2026
CVE-2026-0072 01.06.2026
CVE-2026-10276 hekmon8 Jenkins-server-mcp get_build_status/get_build_log/trigger_build index.ts jobPath server-side request forgery 01.06.2026
CVE-2026-10277 j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control 01.06.2026
CVE-2026-10278 ishayoyo excel-mcp read_file/write_file index.ts path traversal 02.06.2026
CVE-2026-10279 hiraishikentaro wezterm-mcp switch_pane/write_to_specific_pane wezterm_executor.ts os command injection 01.06.2026
CVE-2026-10280 horizon921 mcpilot MCP API Call Endpoint route.ts server-side request forgery 02.06.2026
CVE-2026-10281 Enderfga claw-orchestrator API Endpoint embedded-server.ts EmbeddedServer missing authentication 01.06.2026
CVE-2026-10282 Bottelet DaybydayCRM DocumentsController.php view improper authorization 01.06.2026
CVE-2026-10283 Bottelet DaybydayCRM Setting missing authentication 02.06.2026
CVE-2026-22872 Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability 02.06.2026
CVE-2026-23638 Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key 01.06.2026 6.5
CVE-2026-30963 Capsule Namespace Hijacking via subresource 02.06.2026 3.9
CVE-2026-37226 02.06.2026
CVE-2026-37228 02.06.2026
CVE-2026-37229 02.06.2026
CVE-2026-37230 02.06.2026
CVE-2026-37231 02.06.2026
CVE-2026-37232 02.06.2026
CVE-2026-37233 02.06.2026
CVE-2026-37235 01.06.2026
CVE-2026-40989 Self Routing guard bypassed via function composition 01.06.2026 5.7
CVE-2026-40990 Unbounded cache for function definitions 01.06.2026 5.7
CVE-2026-41013 Tenant-controlled comma smuggles arbitrary CIFS mount options 01.06.2026
CVE-2026-43623 microtar 0.1.0 Stack-Based Buffer Overflow via raw_to_header() 01.06.2026
CVE-2026-43624 F5-TTS 1.1.20 Path Traversal via finetune_gradio.py create_data_project() 01.06.2026
CVE-2026-43625 CodexBar < 0.32.0 Session Cookie Exposure via HTTP Redirect 01.06.2026
CVE-2026-43958 Rrdtool: rrdtool: stack buffer overflow allows local code execution or denial of service 02.06.2026
CVE-2026-45275 Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with approvers 01.06.2026 6.5
CVE-2026-45277 Nextcloud: Information disclosure in Nextcloud Approval app via fileId parameter reveals workflow associations 01.06.2026 3.3
CVE-2026-45278 Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass 02.06.2026 3.3
CVE-2026-45279 Nextcloud: Limited path traversal via template API if using `{lang}` in config 02.06.2026 4.4
CVE-2026-45281 Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update 01.06.2026 8.1
CVE-2026-45282 Nextcloud: Logged-in user bypasses share password and download restrictions on Text attachments via documentId leads to unauthorized file access 01.06.2026 6.5
CVE-2026-45283 Nextcloud: Files Lock app allows users to lock and unlock files of other users 01.06.2026 6.3
CVE-2026-45284 Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate 02.06.2026 4.6
CVE-2026-45285 Nextcloud: Hidden Public Link creation when sharing to a Team External Member 02.06.2026 6.4
CVE-2026-45286 Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint 01.06.2026 4.3
CVE-2026-45302 Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names 02.06.2026 8.2
CVE-2026-45543 Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share 01.06.2026 5.3
CVE-2026-45544 Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking in ViewService 01.06.2026 4.3
CVE-2026-45545 Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution 02.06.2026 8.2
CVE-2026-45690 Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay 02.06.2026 5.9
CVE-2026-45691 Nextcloud: Bypass of second factor authentication on DAV endpoints 01.06.2026 5.9
CVE-2026-45722 Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views 01.06.2026 7.1
CVE-2026-45727 CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion 01.06.2026
CVE-2026-45729 ThorVG: Null pointer dereference in SVG loader causes crash via 6-byte malformed input 02.06.2026 4.3
CVE-2026-45810 Nextcloud: Propfind requests for file comments allowed to load comments for other files 02.06.2026 6.8
CVE-2026-47294 Microsoft SharePoint Server Remote Code Execution Vulnerability 02.06.2026 8
CVE-2026-49121 AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization 01.06.2026
CVE-2026-7770 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator 02.06.2026 8.8
CVE-2026-8644 IBM WebSphere Application Server is affected by an identity spoofing vulnerability 01.06.2026 9.1
CVE-2026-9311 IBM WebSphere Application Server is affected by remote code execution 02.06.2026 9
CVE-2026-9319 IBM WebSphere Application Server is affected by a remote code execution vulnerability 02.06.2026 9
CVE-2026-9330 IBM WebSphere Application Server is affected by remote code execution 02.06.2026 8.5
CVE-2026-9614 02.06.2026 8.8
CVE-2026-10275 OpenSC pkcs11-tool Key Generation pkcs11-tool.c test_kpgen_certwrite buffer overflow 01.06.2026
CVE-2026-37224 01.06.2026
CVE-2026-37227 01.06.2026
CVE-2026-45153 Nextcloud: PIN bypass in PassCodeActivity via back button 01.06.2026 4.6
CVE-2026-45154 Nextcloud: Improper Access Control in Collectives 01.06.2026 2.6
CVE-2026-45155 Nextcloud: Private circle can be added to another circle via API 01.06.2026 2.6
CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC 01.06.2026 8.1
CVE-2026-45157 Nextcloud: Valid share tokens allow to access tempory upload files of share owner 01.06.2026 6.3
CVE-2026-45159 Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner 01.06.2026 3.5
CVE-2026-45266 Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling 01.06.2026 3.5
CVE-2026-45267 Nextcloud: Missing permission check for from submissions 01.06.2026 6.5