Common Vulnerabilities and Exposures (CVE)

CVE-2026-12575

Jul 1, 2026 12:22:28 UTC

DVP80ES3 with  Improper Resource Shutdown or Release vulnerability.

CVE-2026-10095

Jul 1, 2026 12:22:01 UTC

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-12576

Jul 1, 2026 12:21:28 UTC

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.

CVE-2026-14258

Jul 1, 2026 12:20:42 UTC

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be ...

CVE-2026-12142

Jul 1, 2026 12:19:42 UTC

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and outpu...

CVE-2026-13323

Jul 1, 2026 12:19:20 UTC

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacke...

CVE-2026-14198

Jul 1, 2026 12:10:29 UTC

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree o...

CVE-2026-52956

Jul 1, 2026 12:08:01 UTC

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic f...

CVE-2026-14181

Jul 1, 2026 12:05:42 UTC

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a tr...

CVE-2026-6746

Jul 1, 2026 12:05:19 UTC

Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6747

Jul 1, 2026 12:05:19 UTC

Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6749

Jul 1, 2026 12:05:19 UTC

Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-8092

Jul 1, 2026 12:05:18 UTC

Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbi...

CVE-2026-4696

Jul 1, 2026 12:05:18 UTC

Use-after-free in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CVE-2026-48746

Jul 1, 2026 12:05:18 UTC

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API Authenticat...