VYPR

CVEs

344,978 total · page 1 of 6,900

  • CVE-2026-56366Jul 11, 2026
    risk 0.00cvss epss

    ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. Attackers can trigger this memory leak by providing specially crafted APP1JPEG image files, causing denial of service through resource exhaustion.

  • CVE-2026-56373Jul 11, 2026
    risk 0.00cvss epss

    ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails. Attackers can trigger this vulnerability by processing malicious PDB files to cause crashes or write a single zero byte to freed memory.

  • CVE-2026-55404Jul 11, 2026
    risk 0.00cvss epss

    yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient…

  • CVE-2026-59831Jul 11, 2026
    risk 0.00cvss epss

    GitHub CLI (gh) is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without…

  • CVE-2026-58501Jul 11, 2026
    risk 0.00cvss epss

    Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS…

  • CVE-2026-50810Jul 11, 2026
    risk 0.00cvss epss

    A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service

  • CVE-2026-54590Jul 11, 2026
    risk 0.00cvss epss

    AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before…

  • CVE-2026-52747modJul 10, 2026
    risk 0.38cvss 5.8epss

    ModSecurity: ModSecurity: Security rule bypass due to incorrect handling of line breaks in form data

  • CVE-2026-52761modJul 10, 2026
    risk 0.38cvss 5.8epss

    ModSecurity: ModSecurity: Web Application Firewall rules bypass due to incorrect UTF-8 to Unicode transformation

  • CVE-2026-15146modJul 10, 2026
    risk 0.38cvss 5.9epss

    wget: Wget: Server-Side Request Forgery via FTP PASV response IP address validation bypass

  • CVE-2026-53450impJul 10, 2026
    risk 0.41cvss 7.4epss

    coturn: Coturn: Localhost services exposed via IPv4-mapped IPv6 address bypass

  • CVE-2026-53449modJul 10, 2026
    risk 0.32cvss 6.0epss

    coturn: Coturn: Arbitrary file overwrite via CLI command

  • CVE-2026-53448impJul 10, 2026
    risk 0.40cvss 7.2epss

    coturn: Coturn: Arbitrary code execution via SQL injection in HTTPS admin panel

  • CVE-2026-59180lowJul 10, 2026
    risk 0.13cvss 3.1epss

    apprise: Apprise: Information disclosure via HTTP redirect following with credential resending

  • CVE-2026-56288Jul 10, 2026
    risk 0.00cvss epss 0.00

    GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to…

  • CVE-2026-56289Jul 10, 2026
    risk 0.00cvss epss 0.00

    GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively…

  • CVE-2026-59856Jul 10, 2026
    risk 0.00cvss epss 0.00

    Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without…

  • CVE-2026-59858Jul 10, 2026
    risk 0.00cvss epss 0.00

    Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute.…

  • CVE-2026-59857Jul 10, 2026
    risk 0.00cvss epss 0.00

    Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen <…

  • CVE-2026-59946Jul 10, 2026
    risk 0.00cvss epss 0.00

    Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a…

  • CVE-2026-59948Jul 10, 2026
    risk 0.00cvss epss 0.00

    Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and…

  • CVE-2026-59947Jul 10, 2026
    risk 0.00cvss epss 0.00

    Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in…

  • CVE-2026-15185Jul 10, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally.…

  • CVE-2026-59935Jul 10, 2026
    risk 0.00cvss epss 0.00

    pypdf is a free and open-source pure-python PDF library. Prior to 6.14.2, an attacker can craft a PDF with a page content stream containing a not terminated inline image that uses the ASCII85 or ASCIIHex filters, causing an infinite loop during parsing such as when extracting…

  • CVE-2026-15143impJul 10, 2026
    risk 0.60cvss 9.3epss

    guardrails-detectors: guardrails-detectors: SSRF and local file read via user-supplied XML Schema (xml-with-schema:)

  • CVE-2026-15378impJul 10, 2026
    risk 0.60cvss 9.3epss 0.00

    guardrails-detectors: guardrails-detectors: SSRF and local file read via user-supplied XML Schema (xml-with-schema:)

  • CVE-2026-53363Jul 10, 2026
    risk 0.00cvss epss

    kernel: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()

  • CVE-2026-15308impJul 9, 2026
    risk 0.42cvss 7.5epss 0.01

    python: Python: CPU Denial of Service in HTML parser via repeated unterminated markup declarations

  • CVE-2026-58459impJul 9, 2026
    risk 0.44cvss 7.8epss 0.01

    gpsd: gpsd: Command Injection via GPS device subtype allows arbitrary code execution

  • CVE-2026-15187modJul 9, 2026
    risk 0.28cvss 4.3epss 0.00

    enquirer: Enquirer: Prototype pollution vulnerability allows remote attackers to modify object attributes

  • CVE-2026-12590modJul 9, 2026
    risk 0.31cvss 5.9epss 0.00

    body-parser: body-parser: Denial of Service via invalid limit option

  • CVE-2026-49147Jul 9, 2026
    risk 0.00cvss epss 0.00

    App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged.…

  • CVE-2026-49146Jul 9, 2026
    risk 0.00cvss epss 0.00

    App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any…

  • CVE-2026-49145Jul 9, 2026
    risk 0.00cvss epss 0.00

    App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does…

  • CVE-2026-50811Jul 9, 2026
    risk 0.00cvss epss 0.00

    An out-of-bounds read vulnerability exists in FreeType 2.14.3 and versions before commit 5a280ecde6f324de0d226261036e736e0cb49a71 in src/truetype/ttgxvar.c, in the TT_Get_Var_Design implementation used by FT_Get_Var_Design_Coordinates

  • CVE-2026-59890Jul 9, 2026
    risk 0.00cvss epss 0.00

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file…

  • CVE-2026-58384Jul 9, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial…

  • CVE-2026-59883Jul 9, 2026
    risk 0.00cvss epss 0.00

    Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1,…

  • CVE-2026-53511Jul 9, 2026
    risk 0.00cvss epss 0.00

    calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read by calibre, including through Add books or Edit books, by embedding a custom column definition with a python: template in…

  • CVE-2026-56374Jul 9, 2026
    risk 0.00cvss epss 0.00

    ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or…

  • CVE-2026-56362Jul 9, 2026
    risk 0.00cvss epss 0.00

    ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a…

  • CVE-2026-59929Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:,…

  • CVE-2026-59922Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for…

  • CVE-2026-59930Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with…

  • CVE-2026-59928Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing…

  • CVE-2026-59927Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded…

  • CVE-2026-59926Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and…

  • CVE-2026-59925Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching…

  • CVE-2026-59924Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files…

  • CVE-2026-59923Jul 9, 2026
    risk 0.00cvss epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue…