NVD Vulnerability Information Top
Show Search Menu
Vendor Name
プロダクト・サービス名
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW

Update Date:July 4, 2026, 4:18 a.m.

No CVSS Level
Attach Vector
Vendor Name Project Name Title CWE CVE Update Date Publication Date Show Affected Exploit
PoC
Search
5001 6.5 MEDIUM
Network
apache apache-airflow-providers-samba The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path … CWE-22
Path Traversal
CVE-2026-49818 2026-06-13 00:51 2026-06-9 Show GitHub Exploit DB Packet Storm
5002 9.8 CRITICAL
Network
qnap qumagie An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have … CWE-639
 Authorization Bypass Through User-Controlled Key
CVE-2026-44083 2026-06-13 00:47 2026-06-9 Show GitHub Exploit DB Packet Storm
5003 6.5 MEDIUM
Network
qnap qts
quts_hero
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to mod… CWE-121
Stack-based Buffer Overflow
CVE-2025-62858 2026-06-13 00:44 2026-06-9 Show GitHub Exploit DB Packet Storm
5004 5.4 MEDIUM
Network
microsoft sharepoint_server Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. CWE-502
CWE-79
 Deserialization of Untrusted Data
Cross-site Scripting
CVE-2026-48560 2026-06-13 00:41 2026-06-10 Show GitHub Exploit DB Packet Storm
5005 4.6 MEDIUM
Network
microsoft sharepoint_server Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. CWE-79
Cross-site Scripting
CVE-2026-48562 2026-06-13 00:38 2026-06-10 Show GitHub Exploit DB Packet Storm
5006 6.1 MEDIUM
Network
qnap qts
quts_hero
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or… CWE-79
Cross-site Scripting
CVE-2026-41539 2026-06-13 00:37 2026-06-9 Show GitHub Exploit DB Packet Storm
5007 7.5 HIGH
Network
qnap qumagie A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We hav… CWE-862
 Missing Authorization
CVE-2026-26236 2026-06-13 00:35 2026-06-9 Show GitHub Exploit DB Packet Storm
5008 7.8 HIGH
Local
siemens sinec_ins A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with the cap_dac_override capability. This capability all… CWE-250
 Execution with Unnecessary Privileges
CVE-2026-46748 2026-06-13 00:33 2026-06-9 Show GitHub Exploit DB Packet Storm
5009 - -
- - Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-priv… CWE-22
Path Traversal
CVE-2026-45171 2026-06-13 00:30 2026-06-12 Show GitHub Exploit DB Packet Storm
5010 - -
- - Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially exe… CWE-78
OS Command 
CVE-2026-45172 2026-06-13 00:30 2026-06-12 Show GitHub Exploit DB Packet Storm
5011 - -
- - Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated … CWE-346
 Origin Validation Error
CVE-2026-45173 2026-06-13 00:30 2026-06-12 Show GitHub Exploit DB Packet Storm
5012 - -
- - Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19 CWE-404
 Improper Resource Shutdown or Release
CVE-2026-45174 2026-06-13 00:30 2026-06-12 Show GitHub Exploit DB Packet Storm
5013 - -
- - Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26… CWE-295
Improper Certificate Validation 
CVE-2026-45170 2026-06-13 00:30 2026-06-12 Show GitHub Exploit DB Packet Storm
5014 - -
- - Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnerability. Under specific circumstances and configuration scenari… CWE-400
 Uncontrolled Resource Consumption
CVE-2026-45169 2026-06-13 00:30 2026-06-12 Show GitHub Exploit DB Packet Storm
5015 5.3 MEDIUM
Network
siemens sinec_ins A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used fo… CWE-26
 Path Traversal: '/dir/../filename'
CVE-2026-46747 2026-06-13 00:28 2026-06-9 Show GitHub Exploit DB Packet Storm
5016 7.8 HIGH
Local
adobe format_plugins Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of … CWE-122
Heap-based Buffer Overflow
CVE-2026-48292 2026-06-13 00:19 2026-06-10 Show GitHub Exploit DB Packet Storm
5017 7.4 HIGH
Network
- - A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTok… CWE-367
 Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2026-50631 2026-06-13 00:16 2026-06-12 Show GitHub Exploit DB Packet Storm
5018 6.5 MEDIUM
Network
- - A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage… CWE-113
HTTP Response Splitting
CVE-2026-50630 2026-06-13 00:16 2026-06-12 Show GitHub Exploit DB Packet Storm
5019 - -
- - Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user me… CWE-116
 Improper Encoding or Escaping of Output
CVE-2026-47173 2026-06-13 00:16 2026-06-12 Show GitHub Exploit DB Packet Storm
5020 5.0 MEDIUM
Network
- - An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2)… CWE-191
 Integer Underflow (Wrap or Wraparound)
CVE-2026-11850 2026-06-13 00:16 2026-06-11 Show GitHub Exploit DB Packet Storm
5021 7.8 HIGH
Local
adobe format_plugins Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of … CWE-122
Heap-based Buffer Overflow
CVE-2026-48291 2026-06-13 00:15 2026-06-10 Show GitHub Exploit DB Packet Storm
5022 9.8 CRITICAL
Network
siemens sinec_ins A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all us… CWE-760
 Use of a One-Way Hash with a Predictable Salt
CVE-2026-46749 2026-06-13 00:15 2026-06-9 Show GitHub Exploit DB Packet Storm
5023 10.0 CRITICAL
Network
adobe campaign Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current… CWE-863
 Incorrect Authorization
CVE-2026-48303 2026-06-13 00:02 2026-06-10 Show GitHub Exploit DB Packet Storm
5024 5.5 MEDIUM
Local
adobe acrobat
acrobat_reader
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this v… CWE-125
Out-of-bounds Read
CVE-2026-47961 2026-06-12 23:43 2026-06-10 Show GitHub Exploit DB Packet Storm
5025 7.8 HIGH
Local
adobe acrobat
acrobat_reader
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current … CWE-121
Stack-based Buffer Overflow
CVE-2026-47959 2026-06-12 23:41 2026-06-10 Show GitHub Exploit DB Packet Storm
5026 - -
- - Rejected reason: Reserved but no longer needed. - CVE-2026-54102 2026-06-12 23:16 2026-06-12 Show GitHub Exploit DB Packet Storm
5027 - -
- - Rejected reason: Reserved but no longer needed. - CVE-2026-54101 2026-06-12 23:16 2026-06-12 Show GitHub Exploit DB Packet Storm
5028 9.9 CRITICAL
Network
- - Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fissi… CWE-250
CWE-269
 Execution with Unnecessary Privileges
 Improper Privilege Management
CVE-2026-50566 2026-06-12 23:16 2026-06-11 Show GitHub Exploit DB Packet Storm
5029 8.8 HIGH
Network
- - A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended… CWE-285
Improper Authorization
CVE-2026-47342 2026-06-12 23:16 2026-06-11 Show GitHub Exploit DB Packet Storm
5030 - -
- - Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an att… CWE-77
CWE-88
CWE-829
Command Injection
Argument Injection
 Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-46529 2026-06-12 23:16 2026-06-11 Show GitHub Exploit DB Packet Storm
5031 7.0 HIGH
Network
- - Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerab… CWE-94
CWE-1321
Code Injection
 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2026-44495 2026-06-12 23:16 2026-06-12 Show GitHub Exploit DB Packet Storm
5032 7.5 HIGH
Network
vmware spring_for_graphql The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are … CWE-284
Improper Access Control
CVE-2026-41856 2026-06-12 23:14 2026-06-11 Show GitHub Exploit DB Packet Storm
5033 8.1 HIGH
Network
vmware spring_for_graphql Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page,… CWE-346
 Origin Validation Error
CVE-2026-41700 2026-06-12 23:13 2026-06-11 Show GitHub Exploit DB Packet Storm
5034 7.5 HIGH
Network
sqlfluff sqlfluff SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be l… CWE-674
 Uncontrolled Recursion
CVE-2026-46373 2026-06-12 23:10 2026-06-10 Show GitHub Exploit DB Packet Storm
5035 7.5 HIGH
Network
sqlfluff sqlfluff SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be l… CWE-400
 Uncontrolled Resource Consumption
CVE-2026-46374 2026-06-12 23:01 2026-06-10 Show GitHub Exploit DB Packet Storm
5036 7.5 HIGH
Network
pipecat pipecat Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pip… CWE-22
Path Traversal
CVE-2026-44716 2026-06-12 23:00 2026-06-10 Show GitHub Exploit DB Packet Storm
5037 6.5 MEDIUM
Network
qnap file_station A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (… CWE-476
 NULL Pointer Dereference
CVE-2026-22899 2026-06-12 22:49 2026-06-10 Show GitHub Exploit DB Packet Storm
5038 6.5 MEDIUM
Network
qnap file_station An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to… CWE-770
 Allocation of Resources Without Limits or Throttling
CVE-2026-24720 2026-06-12 22:49 2026-06-10 Show GitHub Exploit DB Packet Storm
5039 4.4 MEDIUM
Local
qnap license_center A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpect… CWE-22
Path Traversal
CVE-2025-62851 2026-06-12 22:47 2026-06-10 Show GitHub Exploit DB Packet Storm
5040 8.1 HIGH
Network
qnap file_station An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restr… CWE-863
 Incorrect Authorization
CVE-2026-24724 2026-06-12 22:47 2026-06-10 Show GitHub Exploit DB Packet Storm
5041 9.3 CRITICAL
Network
- - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter … CWE-89
SQL Injection
CVE-2026-39494 2026-06-12 22:13 2026-06-12 Show GitHub Exploit DB Packet Storm
5042 9.3 CRITICAL
Network
- - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7… CWE-89
SQL Injection
CVE-2026-42647 2026-06-12 22:13 2026-06-12 Show GitHub Exploit DB Packet Storm
5043 7.1 HIGH
Network
- - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6. CWE-79
Cross-site Scripting
CVE-2026-42653 2026-06-12 22:13 2026-06-12 Show GitHub Exploit DB Packet Storm
5044 9.8 CRITICAL
Network
- - Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4. CWE-266
 Incorrect Privilege Assignment
CVE-2026-49060 2026-06-12 22:13 2026-06-12 Show GitHub Exploit DB Packet Storm
5045 6.4 MEDIUM
Network
- - The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This … CWE-79
Cross-site Scripting
CVE-2026-9125 2026-06-12 22:13 2026-06-12 Show GitHub Exploit DB Packet Storm
5046 8.8 HIGH
Network
- - Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security sev… CWE-269
 Improper Privilege Management
CVE-2026-12018 2026-06-12 22:08 2026-06-12 Show GitHub Exploit DB Packet Storm
5047 8.1 HIGH
Network
qnap file_station A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We… CWE-121
Stack-based Buffer Overflow
CVE-2026-26239 2026-06-12 21:53 2026-06-10 Show GitHub Exploit DB Packet Storm
5048 9.1 CRITICAL
Network
qnap file_station A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vul… CWE-121
Stack-based Buffer Overflow
CVE-2026-26240 2026-06-12 21:52 2026-06-10 Show GitHub Exploit DB Packet Storm
5049 9.1 CRITICAL
Network
qnap file_station A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vul… CWE-121
Stack-based Buffer Overflow
CVE-2026-26241 2026-06-12 21:51 2026-06-10 Show GitHub Exploit DB Packet Storm
5050 10.0 CRITICAL
Network
ivanti standalone_sentry An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution CWE-78
OS Command 
CVE-2026-10520 2026-06-12 21:42 2026-06-10 Show GitHub Exploit DB Packet Storm