CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-56290 Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0 29.06.2026 10
CVE-2026-57331 WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability 29.06.2026 9.9
CVE-2026-58053 Gitea act_runner - Container Hardening Bypass via Workflow Container Options 28.06.2026 9.4
CVE-2026-12415 Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter 29.06.2026 9.8
CVE-2026-31928 Daktronics Controller Firmware Use of Hard-coded Credentials 29.06.2026 9.3
CVE-2026-28701 Daktronics Controller Firmware Path Traversal 29.06.2026 9.3
CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter` 29.06.2026 10
CVE-2026-53576 Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass 26.06.2026 10
CVE-2026-54350 Budibase: Anonymous NoSQL operator injection via published-app query templates 26.06.2026 10
CVE-2026-54352 Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload 27.06.2026 9.6
CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal` 29.06.2026 9.9
CVE-2026-53309 ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison 28.06.2026 9.8
CVE-2026-52780 OpenProject: Cache store poisoning leads to Remote Code Execution (RCE) 27.06.2026 9.6
CVE-2026-52782 OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources 29.06.2026 9.9
CVE-2026-52785 OpenProject: SQL injection in timestamps functionality 26.06.2026 9.9
CVE-2026-33646 mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass) 29.06.2026 9.6
CVE-2026-45405 Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add 26.06.2026 9
CVE-2026-45406 Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval 26.06.2026 9
CVE-2026-45408 Dokku: OS Command Injection via App Name in Git Pre-Receive Hook 26.06.2026 9
CVE-2026-54636 Dokku: OS Command Injection via app.json managed Cron 29.06.2026 9
CVE-2026-54820 WordPress JetBooking plugin <= 4.0.4.1 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-54825 WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-54827 WordPress Real Estate 7 theme <= 3.5.9 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-54831 WordPress GeoDirectory plugin <= 2.8.162 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56027 WordPress Booster for WooCommerce plugin <= 8.0.1 - Arbitrary File Upload vulnerability 26.06.2026 9.9
CVE-2026-56028 WordPress Easy Elements for Elementor – Addons & Website Templates plugin <= 1.4.9 - Privilege Escalation vulnerability 26.06.2026 9.8
CVE-2026-56030 WordPress Paytium plugin <= 5.0.2 - Privilege Escalation vulnerability 26.06.2026 9.8
CVE-2026-56032 WordPress Buddyboss Platform plugin <= 3.0.4 - PHP Object Injection vulnerability 26.06.2026 9.8
CVE-2026-56033 WordPress Dokan Pro plugin <= 5.0.4 - Privilege Escalation vulnerability 26.06.2026 9.8
CVE-2026-56034 WordPress Library Management System plugin <= 3.5.7 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56036 WordPress 워드프레스 결제 심플페이 plugin <= 5.5.6 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56057 WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability 26.06.2026 9.8
CVE-2026-56058 WordPress Quform plugin <= 2.23.0 - Arbitrary File Upload vulnerability 26.06.2026 9.9
CVE-2026-56059 WordPress Travel Booking theme <= 2.2.5 - Arbitrary File Upload vulnerability 26.06.2026 9.9
CVE-2026-56062 WordPress Quotes llama plugin <= 3.1.5 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56067 WordPress JetSmartFilters plugin <= 3.8.3 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-56068 WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability 29.06.2026 9.3
CVE-2026-56070 WordPress Advance Product Search plugin <= 1.4.4 - SQL Injection vulnerability 26.06.2026 9.3
CVE-2026-57658 WordPress TemplateSpare plugin <= 4.2.0 - Arbitrary File Upload vulnerability 26.06.2026 9.1
CVE-2026-57878 GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (thttpd) 26.06.2026 9.8
CVE-2026-57879 GV-LPC2011/LPC2211 - unauthorized buffer overflow via AuthMode/AuthValue path (ssvr) 26.06.2026 9.8
CVE-2026-57880 GV-LPC2011/LPC2211 - unauthorized buffer overflow via RTSP Digest username (ssvr) 26.06.2026 9.8
CVE-2026-57881 GV-LPC2011/LPC2211 - unauthorized stack-based buffer overflow vulnerability (vlsvr) 26.06.2026 9.8
CVE-2026-9222 Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication 26.06.2026 9.2
CVE-2025-71327 Flowise - Authentication Bypass via Unprotected Registration Endpoint 26.06.2026 9.3
CVE-2025-71333 Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint 27.06.2026 9.3
CVE-2025-71334 Flowise - Arbitrary File Access via Missing Chat Flow ID Validation 26.06.2026 9.3
CVE-2025-71336 Flowise - Unsandboxed Remote Code Execution via Custom MCP 25.06.2026 9.3
CVE-2025-71338 Flowise - Arbitrary File Write to Remote Code Execution via document-store API 26.06.2026 10
CVE-2026-40702 EVoke Systems EVoke CSMS Missing Authentication for Critical Function 26.06.2026 9.3
CVE-2026-50548 Cursor Desktop sandbox escape via agent-controlled working directory 25.06.2026 9.3
CVE-2026-50549 Cursor Desktop sandbox escape via symlink and failed path canonicalization 25.06.2026 9.3
CVE-2026-54088 File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) 25.06.2026 9.3
CVE-2026-54089 File Browser: Authentication Bypass via Proxy Auth Header Forgery 25.06.2026 9.1
CVE-2026-56786 RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message 25.06.2026 9.3
CVE-2026-57700 WordPress OMGF Pro plugin <= 5.2.6 - Arbitrary File Upload vulnerability 25.06.2026 10
CVE-2026-55413 ToolJet - Marketplace Plugin Poisoning Enables Instance-Wide Remote Code Execution 25.06.2026 9.4
CVE-2026-56123 socat 1.8.0.0 - 1.8.1.1 Heap Buffer Overflow via SOCKS5 Reply Parser 26.06.2026 9.2
CVE-2026-41120 26.06.2026 9.8
CVE-2026-54823 WordPress Widget Options plugin <= 4.2.3 - Remote Code Execution (RCE) vulnerability 25.06.2026 9.9
CVE-2026-54836 WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability 25.06.2026 9.3
CVE-2026-54843 WordPress MDTF plugin <= 1.3.7 - SQL Injection vulnerability 25.06.2026 9.3
CVE-2026-54849 WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.11 - SQL Injection vulnerability 25.06.2026 9.3
CVE-2026-41566 Apache Kvrocks: Improper permission for the APPLYBATCH command 25.06.2026 9.4
CVE-2026-46752 Apache Kvrocks: Stack buffer overflow in Lua bit.tohex() 25.06.2026 10
CVE-2026-53131 netfilter: require Ethernet MAC header before using eth_hdr() 29.06.2026 9.4
CVE-2026-53151 rxrpc: Fix the ACK parser to extract the SACK table for parsing 28.06.2026 9.8
CVE-2026-53175 inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush 28.06.2026 9.8
CVE-2026-53176 IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN 28.06.2026 9.8
CVE-2026-53186 RDMA/srp: bound SRP_RSP sense copy by the received length 28.06.2026 9.1
CVE-2026-53215 net: mvpp2: refill RX buffers before XDP or skb use 28.06.2026 9.8
CVE-2026-53216 net: mvpp2: limit XDP frame size to the RX buffer 28.06.2026 9.8
CVE-2026-53221 ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() 28.06.2026 9.8
CVE-2026-53224 sctp: validate embedded INIT chunk and address list lengths in cookie 28.06.2026 9.1
CVE-2026-53225 sctp: fix uninit-value in __sctp_rcv_asconf_lookup() 28.06.2026 9.1
CVE-2026-53228 ipv6: sit: reload inner IPv6 header after GSO offloads 28.06.2026 9.8
CVE-2026-53246 sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing 28.06.2026 9.8
CVE-2026-53247 net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown 28.06.2026 9.8
CVE-2026-53260 tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). 28.06.2026 9.8
CVE-2026-39948 Cacti has SQL Injection via rfilter parameter in RLIKE clauses 26.06.2026 9.3
CVE-2026-39955 Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php 26.06.2026 9.8
CVE-2026-39938 Cacti: Unauthenticated RCE on Graph Image 26.06.2026 9.8
CVE-2026-39893 Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php 26.06.2026 9.8
CVE-2026-50551 SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content 25.06.2026 9.9
CVE-2026-54067 SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet() 25.06.2026 9.9
CVE-2026-54069 SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist 25.06.2026 9.2
CVE-2026-54158 SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML() 25.06.2026 9.9
CVE-2026-55454 Appsmith: Caddy admin API exposed without authentication 25.06.2026 9.9
CVE-2026-55570 SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch) 25.06.2026 9
CVE-2026-55666 Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth 26.06.2026 9.3
CVE-2026-33543 FOSSBilling: Authentication bypass allows unauthenticated administrator creation 25.06.2026 9.3
CVE-2026-45688 Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack 26.06.2026 9.1
CVE-2026-45689 Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO 26.06.2026 9.1
CVE-2026-46423 Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty 26.06.2026 9.3
CVE-2026-52811 Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym 26.06.2026 9
CVE-2026-52813 Gogs: Path Traversal in organization name results in RCE through Git hooks 26.06.2026 10
CVE-2026-52806 Gogs: RCE via git rebase --exec argument injection in pull request merge 26.06.2026 9.9
CVE-2026-49980 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix 29.06.2026 9.8
CVE-2026-53943 Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header 24.06.2026 9.6
CVE-2026-52955 libceph: Fix potential out-of-bounds access in crush_decode() 29.06.2026 9.8
CVE-2026-52958 libceph: Fix potential out-of-bounds access in osdmap_decode() 28.06.2026 9.1
CVE-2026-52982 net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() 28.06.2026 9.8
CVE-2026-52986 netfilter: nf_conntrack_sip: don't use simple_strtoul 28.06.2026 9.8
CVE-2026-52989 nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers 28.06.2026 9.8
CVE-2026-52993 tipc: fix double-free in tipc_buf_append() 28.06.2026 9.8
CVE-2026-52999 netfilter: nfnetlink_osf: fix out-of-bounds read on option matching 28.06.2026 9.1
CVE-2026-53002 netfilter: conntrack: remove sprintf usage 28.06.2026 9.8
CVE-2026-53006 ipv6: fix possible UAF in icmpv6_rcv() 28.06.2026 9.8
CVE-2026-53010 ksmbd: fix use-after-free in smb2_open during durable reconnect 28.06.2026 9.8
CVE-2026-53043 ocfs2/dlm: validate qr_numregions in dlm_match_regions() 28.06.2026 9.1
CVE-2026-53045 memory: tegra124-emc: Fix dll_change check 28.06.2026 9.8
CVE-2026-53046 ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine 28.06.2026 9.8
CVE-2026-53049 gfs2: add some missing log locking 28.06.2026 9.8
CVE-2026-53055 crypto: hisilicon/sec2 - prevent req used-after-free for sec 28.06.2026 9.8
CVE-2026-53086 net: bcmgenet: fix racing timeout handler 28.06.2026 9.8
CVE-2026-53088 net: bcmgenet: fix off-by-one in bcmgenet_put_txcb 28.06.2026 9.8
CVE-2026-56121 Feast < 0.63.0 Unauthenticated RCE via ApplyFeatureView gRPC Deserialization 26.06.2026 9.3
CVE-2026-12537 Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows 24.06.2026 10
CVE-2026-56223 Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user 24.06.2026 9.3
CVE-2026-56237 Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation 24.06.2026 9.3
CVE-2026-52914 batman-adv: fix fragment reassembly length accounting 28.06.2026 9.8
CVE-2026-52924 sctp: purge outqueue on stale COOKIE-ECHO handling 28.06.2026 9.8
CVE-2026-52931 batman-adv: tp_meter: avoid use of uninit sender vars 28.06.2026 9.8
CVE-2026-12416 Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter 25.06.2026 9.8
CVE-2026-12417 SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover 24.06.2026 9.8
CVE-2026-12485 GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command 24.06.2026 10
CVE-2026-12486 GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability 24.06.2026 9.1
CVE-2026-12846 GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command 24.06.2026 10
CVE-2026-12847 GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command 24.06.2026 10
CVE-2026-12848 GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command 24.06.2026 10
CVE-2026-12849 GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability 24.06.2026 9.1
CVE-2026-12850 GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability 24.06.2026 9.1
CVE-2026-12851 GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability 24.06.2026 9.1
CVE-2026-54588 Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction. 24.06.2026 9.6
CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing 29.06.2026 9.6
CVE-2026-53753 Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API 23.06.2026 9.8
CVE-2026-53662 immich: One-click account takeover via XSS in login page continue redirect 23.06.2026 9.6
CVE-2026-54157 LobeHub: Unauthenticated SSRF in `/webapi/proxy` 23.06.2026 9
CVE-2026-54257 Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow 23.06.2026 9.3
CVE-2026-44789 n8n: HTTP Request Node Pagination Prototype Pollution to RCE 24.06.2026 9.4
CVE-2026-44790 n8n: Arbitrary File Read via Git Node 23.06.2026 9.4
CVE-2026-44791 n8n: XML Node Prototype Pollution Patch Bypass 23.06.2026 9.4
CVE-2026-48519 Langflow: Unauthenticated RCE in Shareable Playgrounds 24.06.2026 9.6
CVE-2026-55255 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow 24.06.2026 9.9
CVE-2026-55447 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit 24.06.2026 9.6
CVE-2026-55450 Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak 23.06.2026 9.3
CVE-2026-27604 FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions 23.06.2026 10
CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE 23.06.2026 9.4
CVE-2026-35019 NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass 23.06.2026 9.2
CVE-2026-44089 Buffer Overflow in Totolink EX1200L router 23.06.2026 9.4
CVE-2026-56258 Crawl4AI - Arbitrary File Write via output_path Symlink and TOCTOU 23.06.2026 9.2
CVE-2026-56315 picklescan - Remote Code Execution via Unblocked Standard Library Modules 23.06.2026 9.3
CVE-2026-11374 Account Takeover via Predictable SSO Ticket Generation 24.06.2026 9
CVE-2026-12866 27.06.2026 9.2
CVE-2026-48746 vLLM: OpenAI auth bypass 23.06.2026 9.1
CVE-2026-56266 Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints 23.06.2026 9.2
CVE-2026-44727 Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP 23.06.2026 9.3
CVE-2026-45034 PhpSpreadsheet: File::prohibitWrappers bypass 23.06.2026 9.2
CVE-2026-49468 LiteLLM: Authentication Bypass via Host Header Injection 24.06.2026 9.5
CVE-2026-10789 MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop 23.06.2026 9.6

Latest Updates

CVE Title Updated Score
CVE-2026-13571 SourceCodester Simple Food Ordering System cart.php logic error 29.06.2026
CVE-2026-13572 itsourcecode Hospital Management System insertbillingrecord.php sql injection 29.06.2026
CVE-2026-13573 llvm llvm-project ValueSymbolTable ValueSymbolTable.cpp insert stack-based overflow 29.06.2026
CVE-2026-13574 llvm llvm-project Bitcode File IntrinsicInst.cpp getBasePtr heap-based overflow 29.06.2026
CVE-2026-13578 itsourcecode Hospital Management System patientdetail.php sql injection 29.06.2026
CVE-2026-13579 itsourcecode Hospital Management System patientchangepassword.php sql injection 29.06.2026
CVE-2026-46406 Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write 29.06.2026
CVE-2026-49049 Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler 29.06.2026
CVE-2026-55607 Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution 29.06.2026
CVE-2026-55844 Home Assistant: iOS Companion App ignores internal SSID allowlist for connections – possible leak of access token and sensor data 29.06.2026 7.5
CVE-2026-56124 phpUploader < 2.0.2 Unauthenticated Database Exposure via index model 29.06.2026
CVE-2026-56290 Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0 29.06.2026
CVE-2026-57320 WordPress BEAR plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability 29.06.2026 7.1
CVE-2026-57326 WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability 29.06.2026 6.5
CVE-2026-57327 WordPress MainWP plugin <= 6.1.1 - Broken Access Control vulnerability 29.06.2026 6.3
CVE-2026-57328 WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability 29.06.2026 6.5
CVE-2026-57329 WordPress WooCommerce Designer Pro plugin <= 1.9.34 - Cross Site Scripting (XSS) vulnerability 29.06.2026 6.5
CVE-2026-57330 WordPress MasterStudy LMS plugin <= 3.7.27 - Cross Site Scripting (XSS) vulnerability 29.06.2026 6.5
CVE-2026-57331 WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability 29.06.2026 9.9
CVE-2026-57332 WordPress Wallet System for WooCommerce plugin <= 2.7.6 - Broken Access Control vulnerability 29.06.2026 7.1
CVE-2026-57333 WordPress Link Whisper Free plugin <= 0.9.4 - Reflected Cross Site Scripting (XSS) vulnerability 29.06.2026 7.1
CVE-2026-57334 WordPress WP User Frontend plugin <= 4.3.7 - Broken Access Control vulnerability 29.06.2026 6.5
CVE-2026-57335 WordPress Ads by WPQuads plugin <= 3.0.3 - Broken Access Control vulnerability 29.06.2026 6.5
CVE-2026-57336 WordPress Jobify theme <= 4.3.2 - Cross Site Scripting (XSS) vulnerability 29.06.2026 7.1
CVE-2026-57337 WordPress Landing Page Builder plugin <= 1.5.3.5 - Cross Site Scripting (XSS) vulnerability 29.06.2026 7.1
CVE-2026-57338 WordPress ARForms plugin <= 7.1.2 - Reflected Cross Site Scripting (XSS) vulnerability 29.06.2026 7.1
CVE-2026-57339 WordPress Business Directory plugin <= 6.4.23 - Broken Access Control vulnerability 29.06.2026 6.6
CVE-2026-57340 WordPress Japanized For WooCommerce plugin <= 2.9.12 - Broken Access Control vulnerability 29.06.2026 6.5
CVE-2026-57341 WordPress Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin <= 2.9.0 - Insecure Direct Object References (IDOR) vulnerability 29.06.2026 6.5
CVE-2026-57523 29.06.2026
CVE-2026-57525 29.06.2026
CVE-2026-11979 Stack-Based Buffer Overflow in libxml2 29.06.2026
CVE-2026-12616 29.06.2026
CVE-2026-12856 Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension 29.06.2026
CVE-2026-13165 Remote Code Execution in SzafirHost 29.06.2026
CVE-2026-13565 SourceCodester Class and Exam Timetabling System edit_class1.php sql injection 29.06.2026
CVE-2026-13566 SourceCodester Class and Exam Timetabling System preview3.php sql injection 29.06.2026
CVE-2026-13567 code-projects Online Music Site POST Request Feedback.php cross site scripting 29.06.2026
CVE-2026-13568 SourceCodester Inventory Management System User Registration Endpoint users_handler.php access control 29.06.2026
CVE-2026-13569 weng-xianhu EyouCMS API index.php sql injection 29.06.2026
CVE-2026-13570 SourceCodester Inventory Management System User Registration Endpoint users_handler.php cross site scripting 29.06.2026
CVE-2026-13676 fast-uri vulnerable to host confusion via failed IDN canonicalization 29.06.2026 7.5
CVE-2026-40521 FrontAccounting < 2.4.20 Path Traversal RCE via attachment upload 29.06.2026
CVE-2026-40522 FrontAccounting < 2.4.20 SQL Injection via rep601.php 29.06.2026
CVE-2026-40523 FrontAccounting < 2.4.20 SQL Injection via reporting/rep710.php 29.06.2026
CVE-2026-40524 FrontAccounting < 2.4.20 SQL Injection via get_gl_transactions() 29.06.2026
CVE-2026-54369 acl < 2.4.0 Symlink Traversal Privilege Escalation via libacl Functions 29.06.2026
CVE-2026-54370 acl < 2.4.0 TOCTOU Symlink Traversal via getfacl/setfacl/chacl 29.06.2026
CVE-2026-54371 attr < 2.6.0 Symlink Traversal Privilege Escalation via getfattr/setfattr 29.06.2026
CVE-2026-56457 HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information 29.06.2026 4.3
CVE-2026-13558 CodeAstro Complaint Management System Report addreport cross site scripting 29.06.2026
CVE-2026-13559 code-projects Real State Services single-list_sale.php add sql injection 29.06.2026
CVE-2026-13560 Edimax EW-7478APC POST Request formAccept os command injection 29.06.2026
CVE-2026-13561 Edimax EW-7478APC POST Request formiNICbasic os command injection 29.06.2026
CVE-2026-13562 Edimax EW-7478APC POST Request formiNICSiteSurvey buffer overflow 29.06.2026
CVE-2026-13563 Edimax EW-7478APC POST Request formL2TPSetup stack-based overflow 29.06.2026
CVE-2026-13564 Edimax EW-7478APC POST Request formPPPoESetup stack-based overflow 29.06.2026
CVE-2026-41991 Predictable Temporary File in GNU gzip 29.06.2026
CVE-2026-41992 Global Buffer Overflow in GNU gzip 29.06.2026
CVE-2026-13552 itsourcecode Online Hotel Management System controller.php edit sql injection 29.06.2026
CVE-2026-13553 itsourcecode Online Hotel Management System controller.php add unrestricted upload 29.06.2026
CVE-2026-13554 itsourcecode Online Hotel Management System POST Request controller.php add cross site scripting 29.06.2026
CVE-2026-13555 itsourcecode Online Hotel Management System controller.php add sql injection 29.06.2026
CVE-2026-13556 itsourcecode Online Hotel Management System POST Request controller.php edit cross site scripting 29.06.2026
CVE-2026-13557 itsourcecode Online Hotel Management System POST Request controller.php add cross site scripting 29.06.2026
CVE-2026-13601 Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications 29.06.2026
CVE-2026-25707 Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp 29.06.2026 8.8
CVE-2026-57346 WordPress Embed Privacy plugin <= 1.12.3 - Arbitrary File Deletion vulnerability 29.06.2026 7.1
CVE-2026-13545 D-Link DCS-935L POST Parameter setconf.cgi sub_400E40 os command injection 29.06.2026
CVE-2026-13546 Feehi CMS REST API Endpoint articles missing authentication 29.06.2026
CVE-2026-13547 Hanwang e-Face General Management Platform upload.do unrestricted upload 29.06.2026
CVE-2026-13548 itsourcecode Hospital Management System doctortimings.php sql injection 29.06.2026
CVE-2026-13549 CodeAstro Complaint Management System Report Endpoint Report.php deletereport authorization 29.06.2026
CVE-2026-13550 itsourcecode Baptism Information Management System delbaptism.php sql injection 29.06.2026
CVE-2026-13551 itsourcecode Baptism Information Management System editBaptism.php sql injection 29.06.2026
CVE-2026-13595 Util-linux: util-linux: heap use-after-free in libblkid nested partition probing 29.06.2026
CVE-2026-22078 O+ Connect's lack of authentication for IPC channels led to a local privilege escalation vulnerability. 29.06.2026 7.3
CVE-2026-57676 WordPress Simple User Avatar plugin <= 4.9 - Insecure Direct Object References (IDOR) vulnerability 29.06.2026 4.3
CVE-2026-57965 Spice-vdagent: integer overflow in udscs_write() leading to heap buffer overflow 29.06.2026
CVE-2026-57966 Spice-vdagent: path traversal in file transfer via unsanitized filename 29.06.2026
CVE-2026-9267 29.06.2026
CVE-2025-0824 lack of validation for firmware update in Hitachi Virtual Storage 29.06.2026 3.7
CVE-2025-2902 Improper Authorization Vulnerability of Maintenance Utility in Hitachi Virtual Storage Platform 29.06.2026 8.3
CVE-2025-7386 Information exposure vulnerability in Hitachi Storage Navigator 29.06.2026 6.8
CVE-2026-10083 APCu Manager < 4.5.0 - Unauthenticated Stored XSS via Cache Key Pollution 29.06.2026
CVE-2026-13539 Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow 29.06.2026
CVE-2026-13540 GitBucket RepositoryCreationService.scala Git.cloneRepository.setURI server-side request forgery 29.06.2026
CVE-2026-13541 itsourcecode Hospital Management System doctorchangepassword.php sql injection 29.06.2026
CVE-2026-13542 itsourcecode Hospital Management System doctorprofile.php sql injection 29.06.2026
CVE-2026-13543 Documenso Google OAuth Login handle-oauth-callback-url.ts improper authentication 29.06.2026
CVE-2026-13544 Feehi CMS API users access control 29.06.2026
CVE-2026-9676 f4 Post Tree < 2.0.5 - Subscriber+ Arbitrary Post Parent/Menu Order Modification 29.06.2026
CVE-2026-13532 itsourcecode Hospital Management System departmentDoctor.php sql injection 29.06.2026
CVE-2026-13533 agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access 29.06.2026
CVE-2026-13534 CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization 29.06.2026
CVE-2026-13535 CodeAstro Human Resource Management System View Endpoint Employee_model.php GetFileInfo sql injection 29.06.2026
CVE-2026-13536 GotoHTTP reg.12x cross site scripting 29.06.2026
CVE-2026-13537 CodeAstro Human Resource Management System cross-site request forgery 29.06.2026
CVE-2026-13538 Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection 29.06.2026
CVE-2026-53325 agp/amd64: Fix broken error propagation in agp_amd64_probe() 29.06.2026
CVE-2026-13527 SourceCodester Class and Exam Timetabling System preview4.php sql injection 29.06.2026
CVE-2026-13528 YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal 29.06.2026
CVE-2026-13529 YzmCMS index.php sql injection 29.06.2026
CVE-2026-13530 itsourcecode Hospital Management System Appointment appointmentdetail.php sql injection 29.06.2026
CVE-2026-13531 itsourcecode Hospital Management System department.php sql injection 29.06.2026
CVE-2026-13523 GPAC ISOBMFF base_encoding.c data amplification 29.06.2026
CVE-2026-13524 CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization 29.06.2026
CVE-2026-13525 CodeAstro Human Resource Management System Update_Earn_Leave Endpoint Employee_model.php emselectByCode sql injection 29.06.2026
CVE-2026-13526 SourceCodester Class and Exam Timetabling System edit_class.php sql injection 29.06.2026
CVE-2026-13519 Tenda JD12L NatStaticSetting fromNatStaticSetting stack-based overflow 29.06.2026
CVE-2026-13520 itsourcecode Hospital Management System Appointment appointmentapproval.php sql injection 29.06.2026
CVE-2026-13521 SourceCodester Class and Exam Timetabling System preview5.php sql injection 29.06.2026
CVE-2026-13522 Investintech SlimPDFReader PDF File SlimPDFReader.exe TeighaDo+0x25cde0 out-of-bounds 29.06.2026
CVE-2026-13517 Tenda JD12L WifiBasicSet formWifiBasicSet stack-based overflow 29.06.2026
CVE-2026-13518 Tenda JD12L addressNat fromAddressNat stack-based overflow 29.06.2026
CVE-2026-13516 Tenda JD12L WifiGuestSet fromSetWifiGusetBasic stack-based overflow 29.06.2026
CVE-2026-13513 MyScale MyScaleDB SegmentId.h getCacheKey data authenticity 29.06.2026
CVE-2026-13514 Chess Play and Learn App com.chess AndroidManifest.xml backup 29.06.2026
CVE-2026-13515 Tenda JD12L SetPptpServerCfg formSetPPTPServer stack-based overflow 28.06.2026
CVE-2026-13512 Databend Tenant client_session_manager.rs state_key authorization 28.06.2026
CVE-2026-13510 SimStudioAI sim Password Protection deployment.ts weak hash 29.06.2026
CVE-2026-13511 VoltAgent Memory REST API memory.handlers.ts handleGetMemoryConversation improper authorization 29.06.2026
CVE-2026-13508 khoj-ai khoj Conversation Sharing api_chat.py authorization 29.06.2026
CVE-2026-13509 RAGapp Knowledge File files.py FileHandler.remove_file path traversal 28.06.2026
CVE-2026-13507 volcengine OpenViking Local VectorDB Primary-key Label str_to_uint64.py str_to_uint64 data authenticity 29.06.2026
CVE-2026-49048 Joomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla < 6.4.1 29.06.2026