Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (8568 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-47277 2026-06-16 6.5 Medium
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.
CVE-2026-40761 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
CVE-2026-40760 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
CVE-2026-40759 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
CVE-2026-40758 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
CVE-2026-40755 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
CVE-2026-40754 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
CVE-2026-40751 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
CVE-2026-40739 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
CVE-2026-40736 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
CVE-2026-39580 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
CVE-2026-39578 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Valiance <= 1.2 versions.
CVE-2026-39577 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions.
CVE-2026-39567 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.
CVE-2026-39557 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions.
CVE-2026-39554 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.
CVE-2026-39539 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions.
CVE-2026-39529 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.
CVE-2026-39446 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions.
CVE-2026-39443 2026-06-16 8.1 High
Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions.