U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2026-59259 - n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credent... read CVE-2026-59259
    Published: July 15, 2026; 8:18:17 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-10668 - The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data I... read CVE-2026-10668
    Published: July 12, 2026; 1:16:24 PM -0400

    V3.1: 4.6 MEDIUM

  • CVE-2026-56353 - n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth (a non-default configuration). In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on the Cha... read CVE-2026-56353
    Published: July 15, 2026; 8:18:02 AM -0400

  • CVE-2026-56398 - Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the p... read CVE-2026-56398
    Published: July 15, 2026; 8:18:02 AM -0400

    V3.1: 9.0 CRITICAL

  • CVE-2026-56400 - open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui ... read CVE-2026-56400
    Published: July 15, 2026; 8:18:03 AM -0400

    V3.1: 9.6 CRITICAL

  • CVE-2026-61859 - ImageMagick before 7.1.2-26 and 6.9.13-x before 6.9.13-51 contains a policy bypass vulnerability in the -script operation due to missing security policy checks. This allows reading files from paths that are otherwise disallowed by the configured s... read CVE-2026-61859
    Published: July 15, 2026; 8:18:20 AM -0400

  • CVE-2026-50670 - Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:01 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-61863 - ImageMagick before 7.1.2-26 (and 6.x before 6.9.13-51) contains a memory leak in the TIFF encoder that occurs when a temporary file cannot be created, resulting in a small memory leak.
    Published: July 15, 2026; 8:18:21 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-50673 - Null pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:01 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-38753 - A use-after-free in the awk_sub() function (editors/awk.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AWK script.
    Published: July 15, 2026; 5:16:36 PM -0400

  • CVE-2026-50688 - Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:04 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-36590 - An issue in EMQ NanoMQ v.0.24.9 allows a remote attacker to cause a denial of service via the nni_qos_db_set function in broker_tcp.c component
    Published: July 15, 2026; 6:16:46 PM -0400

  • CVE-2026-38752 - A stack overflow in the evaluate() function (editors/awk.c) of BusyBox commit 371fe9 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AWK script.
    Published: July 15, 2026; 6:16:47 PM -0400

  • CVE-2026-38754 - A heap overflow in the ifsbreakup() function (shell/ash.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
    Published: July 15, 2026; 6:16:47 PM -0400

  • CVE-2026-38755 - A heap overflow in the evalcommand() function (shell/ash.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
    Published: July 15, 2026; 6:16:47 PM -0400

  • CVE-2026-56643 - Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:30 PM -0400

  • CVE-2026-56644 - Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:30 PM -0400

  • CVE-2026-58532 - Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:40 PM -0400

  • CVE-2026-50327 - Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally.
    Published: July 14, 2026; 2:17:31 PM -0400

  • CVE-2026-50326 - Use after free in Windows Unified Consent System allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:17:31 PM -0400

Created September 20, 2022 , Updated August 27, 2024