A vertical stack of five horizontal severity-tier bars rendered with Swiss tabular precision, descending in opacity from a hot volt-lime upper bar through a cooler signal-blue lower bar, evoking vulnerability severity stratification

CVE Watch

Every published CVE, mapped to engagement reality.

Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.

Tracking 10103 CVEsUpdated dailyLatest entry 2026-06-16

Subscribe via RSS Weekly digest by email

CVE-2026-374627.5 HIGH2026-06-03
An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Servic...
An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
CWE-190
CVE-2026-367489.0 CRITICAL2026-06-03
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.
CWE-79
CVE-2026-365769.8 CRITICAL2026-06-03
An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to...
An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request.
CWE-78
CVE-2026-365747.8 HIGH2026-06-03
A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary ...
A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
CWE-427
CVE-2026-52419.6 CRITICAL2026-06-03
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model reposit...
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.
huggingfaceCWE-829
CVE-2026-445455.3 MEDIUM2026-06-03
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
djangoprojectCWE-770
CVE-2026-374607.5 HIGH2026-06-03
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to ...
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
CWE-20
CVE-2025-701016.5 MEDIUM2026-06-03
An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a...
An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability occurs due to insufficient validation of extent header fields before performing a binary search over extent index entries, which can result in invalid pointer calculations and an out-of-bounds memory read during extent tree traversal.
gkostkaCWE-125
CVE-2025-701005.5 MEDIUM2026-06-03
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers...
A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size.
gkostkaCWE-369
CVE-2025-604775.0 MEDIUM2026-06-03
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box befo...
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
CWE-476
CVE-2024-472734.3 MEDIUM2026-06-03
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology ...
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors.
synologyCWE-22
CVE-2024-472634.1 MEDIUM2026-06-03
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in ...
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information via unspecified vectors.
synologyCWE-22
CVE-2023-529515.9 MEDIUM2026-06-03
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle...
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.
synologyCWE-319
CVE-2022-490427.8 HIGH2026-06-03
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before...
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors.
synologyCWE-829
CVE-2022-490367.8 HIGH2026-06-03
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business...
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors.
synologyCWE-829
CVE-2026-350858.8 HIGH2026-06-03
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
mbs-solutionsCWE-121
CVE-2026-350848.8 HIGH2026-06-03
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.
mbs-solutionsCWE-121
CVE-2026-350838.8 HIGH2026-06-03
A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root
A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.
mbs-solutionsCWE-121
CVE-2026-350828.8 HIGH2026-06-03
The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of us...
The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input.
mbs-solutionsCWE-22
CVE-2026-350818.1 HIGH2026-06-03
The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of u...
The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input.
mbs-solutionsCWE-20

Weekly digest

Get the curated CVE digest every Monday

One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.

Pipe the CVE feed into your stack.

CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.

RSS feed Atom feed JSON feed