The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2026-44332 - Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-exist... read CVE-2026-44332
Published: July 08, 2026; 4:16:49 PM -0400 -
CVE-2026-45045 - Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied f... read CVE-2026-45045
Published: July 08, 2026; 4:16:50 PM -0400 -
CVE-2026-53624 - Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol... read CVE-2026-53624
Published: July 08, 2026; 4:16:52 PM -0400 -
CVE-2026-54527 - JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to exe... read CVE-2026-54527
Published: July 08, 2026; 5:16:49 PM -0400V3.1: 9.0 CRITICAL
-
CVE-2026-54528 - JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlab_git/handlers.py to enforce excluded_paths, allowing an authenticated user on a case-insensitive file... read CVE-2026-54528
Published: July 08, 2026; 5:16:49 PM -0400 -
CVE-2026-58191 - Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig... read CVE-2026-58191
Published: July 08, 2026; 5:16:52 PM -0400V3.1: 6.1 MEDIUM
-
CVE-2026-46633 - Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the... read CVE-2026-46633
Published: July 14, 2026; 6:16:55 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2026-46634 - Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed... read CVE-2026-46634
Published: July 14, 2026; 6:16:56 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2026-46635 - Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(),... read CVE-2026-46635
Published: July 14, 2026; 6:16:56 PM -0400V3.1: 4.3 MEDIUM
-
CVE-2026-46637 - Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and... read CVE-2026-46637
Published: July 14, 2026; 6:16:56 PM -0400V3.1: 5.4 MEDIUM
-
CVE-2026-35152 - A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allow... read CVE-2026-35152
Published: July 15, 2026; 6:16:46 AM -0400 -
CVE-2026-55048 - Integer overflow or wraparound in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: July 14, 2026; 2:18:16 PM -0400 -
CVE-2026-56287 - A boolean-based SQL Injection vulnerability exists in Apache Fineract's Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficie... read CVE-2026-56287
Published: July 15, 2026; 6:16:47 AM -0400 -
CVE-2026-57821 - A SQL Injection vulnerability exists in Apache Fineract's Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an aut... read CVE-2026-57821
Published: July 15, 2026; 6:16:47 AM -0400 -
CVE-2026-55053 - Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: July 14, 2026; 2:18:17 PM -0400 -
CVE-2026-55130 - Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: July 14, 2026; 2:18:19 PM -0400 -
CVE-2026-55121 - Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Published: July 14, 2026; 2:18:18 PM -0400V3.1: 5.5 MEDIUM
-
CVE-2026-55120 - Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
Published: July 14, 2026; 2:18:18 PM -0400 -
CVE-2026-55058 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: July 14, 2026; 2:18:18 PM -0400 -
CVE-2026-55122 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
Published: July 14, 2026; 2:18:18 PM -0400