VYPR

CVEs

345,196 total · page 100 of 6,904

  • CVE-2026-53464MedJun 10, 2026
    risk 0.26cvss 4.0epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25.

  • CVE-2026-53463MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when passing incorrect arguments in the distort operation a null pointer deference will occur. This issue has been patched in versions…

  • CVE-2026-53462MedJun 10, 2026
    risk 0.38cvss 5.9epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when an allocation fails in CheckPrimitiveExtent this can result in a heap-use-after-free and result in a crash. This issue has been patched…

  • CVE-2026-53461HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. This issue has been patched in versions…

  • CVE-2026-53460HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in…

  • CVE-2026-52726HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled…

  • CVE-2026-50223HigJun 10, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects…

  • CVE-2026-49219MedJun 10, 2026
    risk 0.36cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue…

  • CVE-2026-49218HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This…

  • CVE-2026-48994MedJun 10, 2026
    risk 0.38cvss 5.9epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check of a return value could lead to a heap buffer over-write in the MAT decoder on 32-bit systems. This issue has been patched in…

  • CVE-2026-48734MedJun 10, 2026
    risk 0.36cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, a crafted MVG file could result in a stack overflow due to a missing depth or visited-set check. This issue has been patched in versions…

  • CVE-2026-48733MedJun 10, 2026
    risk 0.31cvss 4.7epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, an infinite loop in the subimage-search operation can happen when using a crafted image. This issue has been patched in versions 6.9.13-49 and…

  • CVE-2026-48724MedJun 10, 2026
    risk 0.36cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-24, when using an image with mask the Floyd-Steinberg dithering method it will cause a negative heap buffer over-write. This issue has been patched in version…

  • CVE-2026-47734MedJun 10, 2026
    risk 0.30cvss 5.7epss 0.00

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested…

  • CVE-2026-47712LowJun 10, 2026
    risk 0.14cvss 3.3epss 0.00

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only…

  • CVE-2026-47342HigJun 10, 2026
    risk 0.57cvss 8.8epss 0.00

    A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.

  • CVE-2026-47213MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine.…

  • CVE-2026-47166MedJun 10, 2026
    risk 0.37cvss 5.7epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. This issue has been…

  • CVE-2026-47165MedJun 10, 2026
    risk 0.27cvss 4.1epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in…

  • CVE-2026-46703CriJun 10, 2026
    risk 0.55cvss 9.6epss 0.00

    Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when…

  • CVE-2026-46695CriJun 10, 2026
    risk 0.58cvss 10.0epss 0.00

    Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can…

  • CVE-2026-46693MedJun 10, 2026
    risk 0.27cvss 4.1epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is…

  • CVE-2026-46692MedJun 10, 2026
    risk 0.27cvss 4.1epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. This issue has…

  • CVE-2026-46645MedJun 10, 2026
    risk 0.21cvss 4.3epss 0.00

    SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding…

  • CVE-2026-46559MedJun 10, 2026
    risk 0.26cvss 4.0epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. This issue has been…

  • CVE-2026-46557MedJun 10, 2026
    risk 0.40cvss 6.2epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-23, due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. This issue has been patched in version 7.1.2-23.

  • CVE-2026-46521MedJun 10, 2026
    risk 0.36cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check. This issue has been patched in…

  • CVE-2026-44693HigJun 10, 2026
    risk 0.50cvss 8.8epss 0.00

    Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based…

  • CVE-2026-42568MedJun 10, 2026
    risk 0.31cvss 4.3epss 0.01

    Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515…

  • CVE-2026-42563HigJun 10, 2026
    risk 0.43cvss epss 0.01

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge…

  • CVE-2026-42558HigJun 10, 2026
    risk 0.42cvss 7.6epss 0.00

    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the…

  • CVE-2026-42305HigJun 10, 2026
    risk 0.50cvss 8.8epss 0.01

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's…

  • CVE-2024-21944MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss…

  • CVE-2026-53742MedJun 10, 2026
    risk 0.35cvss 5.4epss 0.00

    Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.

  • CVE-2026-53741MedJun 10, 2026
    risk 0.35cvss 5.4epss 0.00

    Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.

  • CVE-2026-53740MedJun 10, 2026
    risk 0.35cvss 5.4epss 0.00

    Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

  • CVE-2026-53739MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice…

  • CVE-2026-53738HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

  • CVE-2026-53737MedJun 10, 2026
    risk 0.40cvss 6.1epss 0.00

    Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

  • CVE-2026-53736MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.

  • CVE-2026-53634MedJun 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create…

  • CVE-2026-50131HigJun 10, 2026
    risk 0.49cvss 8.6epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation…

  • CVE-2026-48110HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote…

  • CVE-2026-48108MedJun 10, 2026
    risk 0.27cvss 5.3epss 0.00

    Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the…

  • CVE-2026-48107MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use…

  • CVE-2026-48011LowJun 10, 2026
    risk 0.24cvss 3.7epss 0.00

    Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

  • CVE-2026-46705MedJun 10, 2026
    risk 0.27cvss 5.3epss 0.00

    Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC…

  • CVE-2026-46702HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This…

  • CVE-2026-46689HigJun 10, 2026
    risk 0.50cvss epss 0.00

    Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack…

  • CVE-2026-46679HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched…