NVD Vulnerability Information Top

Show Search Menu

Vendor Name
プロダクト・サービス名
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

NVD Vulnerability Information Top

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

CRITICAL
HIGH
MEDIUM
LOW

Update Date:June 22, 2026, 4 a.m.

No	CVSS	Level Attach Vector	Vendor Name	Project Name	Title	CWE	CVE	Update Date	Publication Date	Show Affected	Exploit PoC Search
6701	6.5	MEDIUM Network	-	-	The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to retur…	CWE-862 Missing Authorization	CVE-2026-21836	2026-05-20 23:23	2026-05-20	Show	GitHub Exploit DB Packet Storm

6702	6.5	MEDIUM Adjacent	mozilla	firefox	Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-…	CWE-200 CWE-306 Information Exposure Missing Authentication for Critical Function	CVE-2026-8706	2026-05-20 23:23	2026-05-20	Show	GitHub Exploit DB Packet Storm

6703	8.6	HIGH Network	tenable	terrascan	Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when run…	CWE-918 Server-Side Request Forgery (SSRF)	CVE-2026-47356	2026-05-20 23:23	2026-05-20	Show	GitHub Exploit DB Packet Storm

6704	-	-	-	-	mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-cont…	CWE-79 Cross-site Scripting	CVE-2026-7460	2026-05-20 23:23	2026-05-20	Show	GitHub Exploit DB Packet Storm

6705	8.6	HIGH Network	tenable	terrascan	Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/sca…	CWE-73 CWE-610 CWE-918 External Control of File Name or Path Externally Controlled Reference to a Resource in Another Sphere Server-Side Request Forgery (SSRF)	CVE-2026-47357	2026-05-20 23:23	2026-05-20	Show	GitHub Exploit DB Packet Storm

6706	7.5	HIGH Network	mozilla	firefox thunderbird	Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.	CWE-290 Authentication Bypass by Spoofing	CVE-2026-8960	2026-05-20 23:20	2026-05-19	Show	GitHub Exploit DB Packet Storm

6707	8.6	HIGH Network	tenable	terrascan	Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM …	CWE-73 CWE-610 CWE-918 External Control of File Name or Path Externally Controlled Reference to a Resource in Another Sphere Server-Side Request Forgery (SSRF)	CVE-2026-47358	2026-05-20 23:18	2026-05-20	Show	GitHub Exploit DB Packet Storm

6708	6.5	MEDIUM Network	struktur	libheif	libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer und…	CWE-125 CWE-476 Out-of-bounds Read NULL Pointer Dereference	CVE-2026-32738	2026-05-20 23:17	2026-05-20	Show	GitHub Exploit DB Packet Storm

6709	6.5	MEDIUM Network	struktur	libheif	libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 1…	CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')	CVE-2026-32739	2026-05-20 23:17	2026-05-20	Show	GitHub Exploit DB Packet Storm

6710	6.1	MEDIUM Network	-	-	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.…	CWE-79 Cross-site Scripting	CVE-2026-6367	2026-05-20 23:17	2026-05-20	Show	GitHub Exploit DB Packet Storm

6711	6.1	MEDIUM Network	-	-	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0…	CWE-79 Cross-site Scripting	CVE-2026-6365	2026-05-20 23:17	2026-05-20	Show	GitHub Exploit DB Packet Storm

6712	6.1	MEDIUM Network	-	-	Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could…	CWE-79 Cross-site Scripting	CVE-2026-5090	2026-05-20 23:17	2026-05-20	Show	GitHub Exploit DB Packet Storm

6713	6.8	MEDIUM Network	-	-	Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, al…	CWE-22 CWE-73 Path Traversal External Control of File Name or Path	CVE-2026-35593	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6714	6.8	MEDIUM Network	-	-	EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later…	CWE-79 Cross-site Scripting	CVE-2026-33741	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6715	6.5	MEDIUM Network	-	-	libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to …	CWE-200 CWE-908 Information Exposure Use of Uninitialized Resource	CVE-2026-32814	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6716	9.1	CRITICAL Network	-	-	API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt p…	CWE-306 Missing Authentication for Critical Function	CVE-2026-31071	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6717	9.8	CRITICAL Network	-	-	The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/…	CWE-269 Improper Privilege Management	CVE-2026-31070	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6718	8.8	HIGH Network	-	-	BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpo…	CWE-89 SQL Injection	CVE-2026-31069	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6719	9.8	CRITICAL Network	-	-	scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers…	CWE-918 Server-Side Request Forgery (SSRF)	CVE-2026-30118	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6720	9.8	CRITICAL Network	-	-	scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execut…	CWE-94 Code Injection	CVE-2026-30117	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6721	4.6	MEDIUM Physics	-	-	Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. A…	CWE-1284 Improper Validation of Specified Quantity in Input	CVE-2025-15645	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6722	6.5	MEDIUM Network	-	-	Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting inc…	CWE-704 Incorrect Type Conversion or Cast	CVE-2023-7345	2026-05-20 23:16	2026-05-20	Show	GitHub Exploit DB Packet Storm

6723	6.6	MEDIUM Network	-	-	CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied requ…	CWE-470 Unsafe Reflection	CVE-2026-34216	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6724	6.5	MEDIUM Network	-	-	CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenti…	CWE-284 CWE-862 Improper Access Control Missing Authorization	CVE-2026-34233	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6725	-	-	-	-	Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current on…	CWE-79 Cross-site Scripting	CVE-2026-34463	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6726	-	-	-	-	Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (…	CWE-284 Improper Access Control	CVE-2026-34390	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6727	-	-	-	-	Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST req…	CWE-200 CWE-863 Information Exposure Incorrect Authorization	CVE-2026-34579	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6728	-	-	-	-	Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it b…	CWE-200 CWE-281 Information Exposure Improper Preservation of Permissions	CVE-2026-34744	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6729	4.3	MEDIUM Network	-	-	Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This is…	CWE-284 Improper Access Control	CVE-2026-34754	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6730	-	-	-	-	Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. Th…	CWE-200 Information Exposure	CVE-2026-34970	2026-05-20 23:06	2026-05-20	Show	GitHub Exploit DB Packet Storm

6731	-	-	-	-	Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memo…	CWE-124 Buffer Underflow	CVE-2024-36343	2026-05-20 23:04	2026-05-20	Show	GitHub Exploit DB Packet Storm

6732	5.4	MEDIUM Network	-	-	A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a differ…	-	CVE-2026-9056	2026-05-20 23:04	2026-05-20	Show	GitHub Exploit DB Packet Storm

6733	8.2	HIGH Network	-	-	A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a p…	-	CVE-2026-9057	2026-05-20 23:04	2026-05-20	Show	GitHub Exploit DB Packet Storm

6734	8.0	HIGH Network	-	-	Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The ve…	CWE-352 Origin Validation Error	CVE-2025-11954	2026-05-20 23:04	2026-05-20	Show	GitHub Exploit DB Packet Storm

6735	7.8	HIGH Local	-	-	Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Clie…	CWE-284 Improper Access Control	CVE-2026-0856	2026-05-20 23:03	2026-05-20	Show	GitHub Exploit DB Packet Storm

6736	6.0	MEDIUM Local	-	-	Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component. This issue affects Meona Client Launcher Component: thr…	CWE-316 Cleartext Storage of Sensitive Information in Memory	CVE-2026-0857	2026-05-20 23:03	2026-05-20	Show	GitHub Exploit DB Packet Storm

6737	9.0	CRITICAL Network	-	-	Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This…	CWE-94 Code Injection	CVE-2026-22314	2026-05-20 23:03	2026-05-20	Show	GitHub Exploit DB Packet Storm

6738	7.2	HIGH Network	-	-	Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL ed…	CWE-266 Incorrect Privilege Assignment	CVE-2026-22315	2026-05-20 23:03	2026-05-20	Show	GitHub Exploit DB Packet Storm

6739	4.4	MEDIUM Local	-	-	Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This i…	CWE-345 Insufficient Verification of Data Authenticity	CVE-2026-25602	2026-05-20 23:03	2026-05-20	Show	GitHub Exploit DB Packet Storm

6740	-	-	-	-	NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too ma…	CWE-407 CWE-770 Inefficient Algorithmic Complexity Allocation of Resources Without Limits or Throttling	CVE-2026-41292	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6741	-	-	-	-	NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbou…	CWE-125 CWE-166 Out-of-bounds Read Improper Handling of Missing Special Element	CVE-2026-32792	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6742	-	-	-	-	NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying …	CWE-416 CWE-672 Use After Free Operation on a Resource after Expiration or Release	CVE-2026-33278	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6743	-	-	-	-	NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could ren…	CWE-440 Expected Behavior Violation	CVE-2026-42534	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6744	-	-	-	-	NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit…	CWE-407 Inefficient Algorithmic Complexity	CVE-2026-42923	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6745	7.5	HIGH Network	-	-	A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated a…	CWE-770 Allocation of Resources Without Limits or Throttling	CVE-2026-9064	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6746	-	-	-	-	NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the re…	CWE-197 CWE-787 Numeric Truncation Error Out-of-bounds Write	CVE-2026-42944	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6747	-	-	-	-	NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs …	CWE-824 Access of Uninitialized Pointer	CVE-2026-42959	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6748	-	-	-	-	NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority sec…	CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data	CVE-2026-42960	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6749	-	-	-	-	NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses…	CWE-407 Inefficient Algorithmic Complexity	CVE-2026-44390	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm

6750	-	-	-	-	NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'…	CWE-413 Improper Resource Locking	CVE-2026-44608	2026-05-20 23:02	2026-05-20	Show	GitHub Exploit DB Packet Storm