U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2026-44332 - Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-exist... read CVE-2026-44332
    Published: July 08, 2026; 4:16:49 PM -0400

  • CVE-2026-45045 - Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied f... read CVE-2026-45045
    Published: July 08, 2026; 4:16:50 PM -0400

  • CVE-2026-53624 - Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol... read CVE-2026-53624
    Published: July 08, 2026; 4:16:52 PM -0400

  • CVE-2026-54527 - JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to exe... read CVE-2026-54527
    Published: July 08, 2026; 5:16:49 PM -0400

    V3.1: 9.0 CRITICAL

  • CVE-2026-54528 - JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlab_git/handlers.py to enforce excluded_paths, allowing an authenticated user on a case-insensitive file... read CVE-2026-54528
    Published: July 08, 2026; 5:16:49 PM -0400

  • CVE-2026-58191 - Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig... read CVE-2026-58191
    Published: July 08, 2026; 5:16:52 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-46633 - Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name to terminate the... read CVE-2026-46633
    Published: July 14, 2026; 6:16:55 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-46634 - Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicyInterface sandbox decision, allowing a sandboxed... read CVE-2026-46634
    Published: July 14, 2026; 6:16:56 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-46635 - Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(),... read CVE-2026-46635
    Published: July 14, 2026; 6:16:56 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-46637 - Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML output as safe in HTML, JavaScript, CSS, URL, and... read CVE-2026-46637
    Published: July 14, 2026; 6:16:56 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-35152 - A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allow... read CVE-2026-35152
    Published: July 15, 2026; 6:16:46 AM -0400

  • CVE-2026-55048 - Integer overflow or wraparound in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
    Published: July 14, 2026; 2:18:16 PM -0400

  • CVE-2026-56287 - A boolean-based SQL Injection vulnerability exists in Apache Fineract's Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficie... read CVE-2026-56287
    Published: July 15, 2026; 6:16:47 AM -0400

  • CVE-2026-57821 - A SQL Injection vulnerability exists in Apache Fineract's Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an aut... read CVE-2026-57821
    Published: July 15, 2026; 6:16:47 AM -0400

  • CVE-2026-55053 - Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
    Published: July 14, 2026; 2:18:17 PM -0400

  • CVE-2026-55130 - Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.
    Published: July 14, 2026; 2:18:19 PM -0400

  • CVE-2026-55121 - Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
    Published: July 14, 2026; 2:18:18 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-55120 - Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
    Published: July 14, 2026; 2:18:18 PM -0400

  • CVE-2026-55058 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
    Published: July 14, 2026; 2:18:18 PM -0400

  • CVE-2026-55122 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
    Published: July 14, 2026; 2:18:18 PM -0400

Created September 20, 2022 , Updated August 27, 2024