NVD Vulnerability Information Top
Show Search Menu
Vendor Name
プロダクト・サービス名
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW

Update Date:July 2, 2026, 4:03 a.m.

No CVSS Level
Attach Vector
Vendor Name Project Name Title CWE CVE Update Date Publication Date Show Affected Exploit
PoC
Search
4801 8.3 HIGH
Network
google chrome Use after free in Aura in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTM… CWE-416
 Use After Free
CVE-2026-11631 2026-06-9 23:45 2026-06-9 Show GitHub Exploit DB Packet Storm
4802 3.3 LOW
Network
- - A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precis… CWE-122
Heap-based Buffer Overflow
CVE-2026-11792 2026-06-9 23:42 2026-06-9 Show GitHub Exploit DB Packet Storm
4803 9.6 CRITICAL
Network
google chrome Use after free in WebMIDI in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) CWE-416
 Use After Free
CVE-2026-11165 2026-06-9 23:24 2026-06-5 Show GitHub Exploit DB Packet Storm
4804 9.8 CRITICAL
Network
- - A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the head… CWE-170
CWE-787
 Improper Null Termination
 Out-of-bounds Write
CVE-2026-5067 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4805 - -
- - In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two min_region_sz on damon_start() Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_reg… - CVE-2026-52905 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4806 - -
- - In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix nvkm_device leak on aperture removal failure When aperture_remove_conflicting_pci_devices() fails during probe, … - CVE-2026-52904 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4807 5.3 MEDIUM
Network
- - The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads a… CWE-862
 Missing Authorization
CVE-2026-4986 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4808 - -
- - In the Linux kernel, the following vulnerability has been resolved: erofs: handle end of filesystem properly for file-backed mounts I/O requests beyond the end of the filesystem should be zeroed ou… - CVE-2026-46329 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4809 6.1 MEDIUM
Network
- - Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parame… CWE-79
Cross-site Scripting
CVE-2026-38579 2026-06-9 23:16 2026-06-6 Show GitHub Exploit DB Packet Storm
4810 - -
- - A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve pr… CWE-367
 Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2026-2638 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4811 8.3 HIGH
Network
- - Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.… CWE-472
 External Control of Assumed-Immutable Web Parameter
CVE-2026-11640 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4812 8.8 HIGH
Network
- - Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exe… CWE-78
CWE-77
OS Command 
Command Injection
CVE-2026-11572 2026-06-9 23:16 2026-06-9 Show GitHub Exploit DB Packet Storm
4813 6.5 MEDIUM
Network
google chrome Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) CWE-693
 Protection Mechanism Failure
CVE-2026-11288 2026-06-9 22:59 2026-06-5 Show GitHub Exploit DB Packet Storm
4814 6.5 MEDIUM
Network
google chrome Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) CWE-1300
CWE-203
 Improper Protection of Physical Side Channels
 Information Exposure Through Discrepancy
CVE-2026-11289 2026-06-9 22:58 2026-06-5 Show GitHub Exploit DB Packet Storm
4815 7.5 HIGH
Network
- - Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulne… CWE-121
Stack-based Buffer Overflow
CVE-2026-36789 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4816 6.5 MEDIUM
Network
- - OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account c… CWE-348
 Use of Less Trusted Source
CVE-2020-37248 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4817 7.5 HIGH
Network
- - Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory. By creating resources of certain types and presenting a set of parameters t… CWE-122
Heap-based Buffer Overflow
CVE-2026-22164 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4818 7.1 HIGH
Local
- - Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of a mapping state maintained for a sparse memory allocation. The product accidenta… CWE-468
CVE-2026-34194 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4819 7.5 HIGH
Network
- - Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the list1 parameter of the fromDhcpListClient function. This vulnerability allows attackers to ca… CWE-121
Stack-based Buffer Overflow
CVE-2026-36786 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4820 8.8 HIGH
Network
- - Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically del… CWE-285
CWE-613
Improper Authorization
 Insufficient Session Expiration
CVE-2026-46656 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4821 7.1 HIGH
Network
- - Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tok… CWE-212
CWE-613
 Improper Removal of Sensitive Information Before Storage or Transfer
 Insufficient Session Expiration
CVE-2026-46657 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4822 8.7 HIGH
Network
- - A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScrip… CWE-79
Cross-site Scripting
CVE-2026-41031 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4823 - -
- - When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This… CWE-280
Improper Handling of Insufficient Permissions or Privileges 
CVE-2026-11764 2026-06-9 22:57 2026-06-9 Show GitHub Exploit DB Packet Storm
4824 4.3 MEDIUM
Network
google chrome Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) CWE-693
 Protection Mechanism Failure
CVE-2026-11292 2026-06-9 22:54 2026-06-5 Show GitHub Exploit DB Packet Storm
4825 9.6 CRITICAL
Network
google chrome Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) CWE-416
 Use After Free
CVE-2026-11293 2026-06-9 22:53 2026-06-5 Show GitHub Exploit DB Packet Storm
4826 7.6 HIGH
Adjacent
- - A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf… CWE-787
 Out-of-bounds Write
CVE-2026-5068 2026-06-9 22:53 2026-06-9 Show GitHub Exploit DB Packet Storm
4827 6.0 MEDIUM
Local
- - Dell iDRAC Tools, versions prior to 11.4.1.0, contains an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially e… CWE-59
Link Following
CVE-2026-28262 2026-06-9 22:53 2026-06-9 Show GitHub Exploit DB Packet Storm
4828 4.8 MEDIUM
Network
- - QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG f… CWE-79
Cross-site Scripting
CVE-2026-25558 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4829 9.8 CRITICAL
Network
- - OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an e… CWE-305
 Authentication Bypass by Primary Weakness
CVE-2026-25555 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4830 8.8 HIGH
Network
- - OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by … CWE-22
Path Traversal
CVE-2026-25559 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4831 8.8 HIGH
Network
- - OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the File… CWE-78
OS Command 
CVE-2026-25855 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4832 8.8 HIGH
Network
- - OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifyin… CWE-94
Code Injection
CVE-2026-25856 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4833 6.5 MEDIUM
Network
- - OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy sour… CWE-522
 Insufficiently Protected Credentials
CVE-2026-39908 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4834 9.8 CRITICAL
Network
- - STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary… CWE-862
 Missing Authorization
CVE-2026-39910 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4835 9.4 CRITICAL
Network
- - AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequen… CWE-22
Path Traversal
CVE-2026-41448 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4836 - -
- - A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authe… CWE-78
OS Command 
CVE-2026-8913 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4837 7.5 HIGH
Network
- - Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() functio… CWE-78
OS Command 
CVE-2026-40519 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4838 7.1 HIGH
Network
- - WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by su… CWE-639
 Authorization Bypass Through User-Controlled Key
CVE-2026-49141 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4839 3.5 LOW
Network
- - The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrato… CWE-79
Cross-site Scripting
CVE-2026-8981 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4840 - -
- - SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be a… CWE-89
SQL Injection
CVE-2026-10731 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4841 8.2 HIGH
Network
- - Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST pa… CWE-89
SQL Injection
CVE-2016-20062 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4842 7.1 HIGH
Network
- - Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attac… CWE-89
SQL Injection
CVE-2016-20063 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4843 6.2 MEDIUM
Local
- - WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attacke… CWE-98
 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2016-20064 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4844 8.2 HIGH
Network
- - Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selec… CWE-89
SQL Injection
CVE-2016-20065 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4845 8.2 HIGH
Network
- - WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code th… CWE-89
SQL Injection
CVE-2017-20243 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4846 8.2 HIGH
Network
- - Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. … CWE-89
SQL Injection
CVE-2017-20244 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4847 8.2 HIGH
Network
- - Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parame… CWE-89
SQL Injection
CVE-2017-20245 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4848 8.2 HIGH
Network
- - KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can i… CWE-89
SQL Injection
CVE-2017-20246 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4849 8.2 HIGH
Network
- - WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid para… CWE-89
SQL Injection
CVE-2017-20247 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm
4850 7.5 HIGH
Network
- - Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Attackers can send requests … CWE-22
Path Traversal
CVE-2017-20248 2026-06-9 22:51 2026-06-9 Show GitHub Exploit DB Packet Storm