VYPR

CVEs

345,196 total · page 101 of 6,904

  • CVE-2026-46673HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths…

  • CVE-2026-46669HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenVM is a performant and modular zkVM framework built for customization and extensibility. Prior to version 1.6.0, the openvm-pairing guest library's try_honest_pairing_check function invokes Theorem 3 of https://eprint.iacr.org/2024/640.pdf but does not check that the scaling…

  • CVE-2026-46668LowJun 10, 2026
    risk 0.08cvss epss 0.00

    SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.

  • CVE-2026-46654HigJun 10, 2026
    risk 0.51cvss epss 0.00

    Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in…

  • CVE-2026-46625HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an…

  • CVE-2026-46523MedJun 10, 2026
    risk 0.40cvss 6.2epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

  • CVE-2026-46522HigJun 10, 2026
    risk 0.52cvss 7.5epss 0.02

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and…

  • CVE-2026-46520HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions…

  • CVE-2026-45783HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all…

  • CVE-2026-45664MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in…

  • CVE-2026-45624MedJun 10, 2026
    risk 0.33cvss 5.1epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. This issue has…

  • CVE-2026-45384MedJun 10, 2026
    risk 0.40cvss 6.1epss 0.00

    bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in…

  • CVE-2026-45380LowJun 10, 2026
    risk 0.23cvss 3.6epss 0.00

    bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any…

  • CVE-2026-45359MedJun 10, 2026
    risk 0.37cvss 5.7epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation.…

  • CVE-2026-45358MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, an off by one in the meta encoder could result in an out of bounds read of a single byte in the meta encoder. This issue has been patched in…

  • CVE-2026-45031MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.01

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other…

  • CVE-2026-44692HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters.…

  • CVE-2026-42542HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.01

    TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are…

  • CVE-2026-42462HigJun 10, 2026
    risk 0.39cvss 7.0epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it…

  • CVE-2026-42326MedJun 10, 2026
    risk 0.33cvss 5.1epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte. This issue has been patched in…

  • CVE-2026-2049HigJun 10, 2026
    risk 0.51cvss 7.8epss 0.01

    GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit…

  • CVE-2026-11604MedJun 10, 2026
    risk 0.29cvss epss 0.00

    An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win version 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash…

  • CVE-2026-10143HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.01

    kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py,…

  • CVE-2026-10142HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation.…

  • CVE-2026-0274HigJun 10, 2026
    risk 0.53cvss epss 0.00

    An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.

  • CVE-2026-0273MedJun 10, 2026
    risk 0.40cvss epss 0.01

    A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI. The…

  • CVE-2026-0272MedJun 10, 2026
    risk 0.39cvss epss 0.00

    A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges. The security risk posed by this issue is significantly…

  • CVE-2026-0271MedJun 10, 2026
    risk 0.38cvss epss 0.00

    A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.

  • CVE-2026-0270MedJun 10, 2026
    risk 0.31cvss epss 0.00

    A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write…

  • CVE-2026-0269MedJun 10, 2026
    risk 0.30cvss epss 0.00

    A memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software allows an authenticated user to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter…

  • CVE-2026-0268MedJun 10, 2026
    risk 0.29cvss epss 0.00

    A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.

  • CVE-2026-0267MedJun 10, 2026
    risk 0.29cvss epss 0.00

    An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is known, the user can perform these actions…

  • CVE-2026-0266LowJun 10, 2026
    risk 0.07cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on…

  • CVE-2022-48575LowJun 10, 2026
    risk 0.23cvss 3.5epss 0.00

    A person with access to a Mac may be able to bypass Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4.

  • CVE-2022-26758HigJun 10, 2026
    risk 0.46cvss 7.1epss 0.00

    A malicious application may cause unexpected changes in memory shared between processes. A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4.

  • CVE-2026-47768Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/web/operators.go:251` — after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?new_key=&key_name= The raw API key ends up: - in the browser's URL history - in the…

  • CVE-2026-11908Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11909Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11913Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11914Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-11915Jun 10, 2026
    risk 0.00cvss epss 0.00

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-47764higJun 10, 2026
    risk 0.38cvss epss 0.00

    InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path…

  • CVE-2026-47763Jun 10, 2026
    risk 0.00cvss epss 0.00

    ## Summary PDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operations can overwrite the symlink targets. This creates an arbitrary file clobber primitive relative to…

  • CVE-2026-6893HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are…

  • CVE-2026-50127MedJun 10, 2026
    risk 0.31cvss 5.9epss 0.00

    Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private…

  • CVE-2026-46683MedJun 10, 2026
    risk 0.38cvss epss 0.00

    Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0.

  • CVE-2026-46643HigJun 10, 2026
    risk 0.42cvss epss 0.00

    Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included.…

  • CVE-2026-46529HigJun 10, 2026
    risk 0.48cvss epss 0.01

    Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into…

  • CVE-2026-45106MedJun 10, 2026
    risk 0.23cvss 4.6epss 0.00

    Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every…

  • CVE-2026-1220HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)