CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Dell
1Powerflex Manager
Jul 16, 2026
Jul 10, 2026
N/A· v4
8.5 HIGH· v3
N/A· v2
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could poten...Show more
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access.Show less
1Dell
1Powerflex Manager
Jul 16, 2026
Jul 10, 2026
N/A· v4
7.7 HIGH· v3
N/A· v2
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could poten...Show more
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.Show less
1Dell
1Powerflex Manager
Jul 16, 2026
Jul 10, 2026
N/A· v4
9.1 CRITICAL· v3
N/A· v2
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access coul...Show more
Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achieve arbitrary command execution as root, potentially leading to full appliance compromise and lateral movement into managed infrastructure.Show less
1Dell
1Unisphere For Powermax
Jul 16, 2026
Jul 10, 2026
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a path traversal vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to read arbitrary files.
1Newapi
1New Api
Jul 16, 2026
Jul 9, 2026
N/A· v4
5.3 MEDIUM· v3
N/A· v2
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oaut...Show more
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing an attacker to trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity in deployments where session cookies could be sent on cross-site navigations. This issue is fixed in version 0.12.0-alpha.1.Show less
1Newapi
1New Api
Jul 16, 2026
Jul 9, 2026
N/A· v4
7.7 HIGH· v3
N/A· v2
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with Ap...Show more
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address, allowing authenticated users to configure Webhook, Bark, or Gotify notification URLs that point at an internal or metadata IP address. This issue is fixed in version 0.12.0-alpha.1.Show less
1Hapifhir
1Hl7 Fhir Core
Jul 16, 2026
Jul 8, 2026
8.7 HIGH· v4
9.1 CRITICAL· v3
N/A· v2
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxo...Show more
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET restrictions, allowing an attacker who controls or can tamper with transformed XML to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. This issue is fixed in version 6.9.10.Show less
1Hapifhir
1Hl7 Fhir Core
Jul 16, 2026
Jul 8, 2026
N/A· v4
7.5 HIGH· v3
N/A· v2
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches()...Show more
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches() in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matches(sw) without RegexTimeout protection while replaceMatches() was updated, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU. This issue is fixed in version 6.9.10.Show less
2Jsrsasign Project
Kjur
2Jsrsasign
Jsrsasign
Jul 16, 2026
Mar 23, 2026
8.8 HIGH· v4
9.1 CRITICAL· v3
N/A· v2
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key...Show more
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.Show less
-
-
Jul 16, 2026
Jun 4, 2026
N/A· v4
7.1 HIGH· v3
N/A· v2
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-sched...Show more
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.Show less
-
-
Jul 16, 2026
May 29, 2025
6.9 MEDIUM· v4
6.5 MEDIUM· v3
N/A· v2
Versions of the package mcp-markdownify-server before 1.0.0 are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the...Show more
Versions of the package mcp-markdownify-server before 1.0.0 are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server.Show less
1Openwebui
1Open Webui
Jul 16, 2026
Mar 20, 2025
N/A· v4
N/A· v3
N/A· v2
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
1Openwebui
1Open Webui
Jul 16, 2026
Mar 20, 2025
N/A· v4
N/A· v3
N/A· v2
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
1Openwebui
1Open Webui
Jul 16, 2026
Mar 20, 2025
N/A· v4
N/A· v3
N/A· v2
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
1Openwebui
1Open Webui
Jul 16, 2026
Oct 9, 2024
N/A· v4
N/A· v3
N/A· v2
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
1Openwebui
1Open Webui
Jul 16, 2026
Mar 20, 2025
N/A· v4
N/A· v3
N/A· v2
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
1Openwebui
1Open Webui
Jul 16, 2026
Mar 20, 2025
N/A· v4
N/A· v3
N/A· v2
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
1Azeotech
1Daqfactory
Jul 16, 2026
Jun 25, 2026
8.4 HIGH· v4
7.8 HIGH· v3
N/A· v2
In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.
1Drupal
1Drupal
Jul 16, 2026
Jul 10, 2026
N/A· v4
5.9 MEDIUM· v3
N/A· v2
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2...Show more
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.Show less
2Artificial Intelligence Project
Drupal
2Artificial Intelligence
Artificial Intelligence
Jul 16, 2026
Mar 31, 2025
N/A· v4
6.6 MEDIUM· v3
N/A· v2
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence):...Show more
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5.Show less
2Artificial Intelligence Project
Drupal
2Artificial Intelligence
Artificial Intelligence
Jul 16, 2026
Mar 31, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence):...Show more
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5.Show less
2Gimp
Redhat
2Enterprise Linux
Gimp
Jul 16, 2026
Jul 6, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by...Show more
A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.Show less
1Drupal
1Drupal
Jul 16, 2026
Jul 10, 2026
N/A· v4
5.9 MEDIUM· v3
N/A· v2
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 1...Show more
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.Show less
1Drupal
1Drupal
Jul 16, 2026
Jul 10, 2026
N/A· v4
5.9 MEDIUM· v3
N/A· v2
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 1...Show more
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.Show less
1Artificial Intelligence Project
1Artificial Intelligence
Jul 16, 2026
Jul 10, 2026
N/A· v4
3.3 LOW· v3
N/A· v2
Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4....Show more
Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3.Show less