Total
362682 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-56049 | 2026-06-25 | N/A | 8.5 HIGH | ||
| Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions. | |||||
| CVE-2026-56006 | 2026-06-25 | N/A | 7.1 HIGH | ||
| Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions. | |||||
| CVE-2026-56005 | 2026-06-25 | N/A | 7.1 HIGH | ||
| Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions. | |||||
| CVE-2026-55570 | 2026-06-25 | N/A | 9.0 CRITICAL | ||
| SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is produced with JSON.stringify() (which does not escape ', <, or >), a package whose name contains a single quote breaks out of the attribute and injects arbitrary HTML. In the desktop client the main BrowserWindow runs with nodeIntegration: true, contextIsolation: false, so the injected markup escalates from DOM XSS to arbitrary OS command execution. This is the same root cause and same impact as the original advisory, reached through a sibling sink the patch did not cover. This vulnerability is fixed in 3.7.0. | |||||
| CVE-2026-54848 | 2026-06-25 | N/A | 8.3 HIGH | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3. | |||||
| CVE-2026-54843 | 2026-06-25 | N/A | 9.3 CRITICAL | ||
| Unauthenticated SQL Injection in MDTF <= 1.3.7 versions. | |||||
| CVE-2026-54842 | 2026-06-25 | N/A | 8.1 HIGH | ||
| Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25. | |||||
| CVE-2026-54829 | 2026-06-25 | N/A | 7.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005. | |||||
| CVE-2026-54828 | 2026-06-25 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in Motors <= 1.4.109 versions. | |||||
| CVE-2026-54069 | 2026-06-25 | N/A | N/A | ||
| SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0. | |||||
| CVE-2026-2815 | 2026-06-25 | N/A | N/A | ||
| Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys | |||||
| CVE-2026-13035 | 2 Apple, Google | 2 Macos, Chrome | 2026-06-25 | N/A | 8.8 HIGH |
| Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High) | |||||
| CVE-2026-13036 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-25 | N/A | 8.8 HIGH |
| Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2026-13037 | 1 Google | 2 Android, Chrome | 2026-06-25 | N/A | 7.8 HIGH |
| Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2026-13038 | 2 Google, Microsoft | 2 Chrome, Windows | 2026-06-25 | N/A | 8.8 HIGH |
| Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | |||||
| CVE-2026-39897 | 1 Cacti | 1 Cacti | 2026-06-25 | N/A | 6.1 MEDIUM |
| Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31. | |||||
| CVE-2026-39900 | 1 Cacti | 1 Cacti | 2026-06-25 | N/A | 6.1 MEDIUM |
| Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the auth_profile.php JavaScript context. This issue has been fixed in version 1.2.31. | |||||
| CVE-2026-48137 | 1 Ni | 2 Instrumentstudio, Ni Grpc Device Server | 2026-06-25 | N/A | 9.1 CRITICAL |
| There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution. Successful exploitation requires an attacker to supply a specially crafted Moniker protobuf message. This affects NI grpc-device 2.17.0 and prior versions. | |||||
| CVE-2026-48138 | 1 Ni | 2 Instrumentstudio, Ni Grpc Device Server | 2026-06-25 | N/A | 7.5 HIGH |
| There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions. | |||||
| CVE-2026-48139 | 1 Ni | 2 Instrumentstudio, Ni Grpc Device Server | 2026-06-25 | N/A | 7.5 HIGH |
| There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash. Successful exploitation requires an attacker to provide an unknown value to the data moniker service. This affects NI grpc-device 2.17.0 and prior versions. | |||||
