Total CVEs

145,969

Critical Severity

4,294

High Severity

15,801

Last 7 Days

2,223
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 24,041 - 24,060 of 42,374 CVEs
CVE-2026-34987 CRITICAL - 9.9

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following step...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD
CVE-2026-34971 CRITICAL - 7.8

Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architectu...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can res...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits shou...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. ...

Vendor: bytecodealliance
Product: wasmtime
Published: Apr 09, 2026
Source: NVD
CVE-2026-31170 CRITICAL - 9.8

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi.

Published: Apr 09, 2026
Source: NVD

OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.

Vendor: OpenPLC_V3
Product: OpenPLC_V3
Published: Apr 09, 2026
Source: NVD
CVE-2026-5971 HIGH - 7.3

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5970 HIGH - 7.3

A vulnerability was detected in FoundationAgents MetaGPT up to 0.8.1. This affects the function check_solution of the component HumanEvalBenchmark/MBPPBenchmark. Performing a manipulation results in code injection. The attack may be initiated remotely. The exploit is now public and may be used. The ...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5329 HIGH - 8.5

Rapid7 Velociraptor versions prior to 0.76.2Β contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring me...

Published: Apr 09, 2026
Source: NVD

web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementati...

Vendor: ethereum
Product: web3.py
Published: Apr 09, 2026
Source: NVD
CVE-2026-40071 MEDIUM - 5.4

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

Vendor: pyload
Product: pyload
Published: Apr 09, 2026
Source: NVD
CVE-2026-40070 HIGH - 8.1

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the call...

Vendor: sgbett
Product: bsv-ruby-sdk, bsv-sdk, bsv-wallet
Published: Apr 09, 2026
Source: NVD
CVE-2026-40069 HIGH - 7.5

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStat...

Vendor: sgbett
Product: bsv-ruby-sdk
Published: Apr 09, 2026
Source: NVD
CVE-2026-39985 MEDIUM - 4.3

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, wh...

Vendor: aces
Product: Loris
Published: Apr 09, 2026
Source: NVD
CVE-2026-39980 CRITICAL - 9.1

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform proces...

Vendor: OpenCTI-Platform
Product: opencti
Published: Apr 09, 2026
Source: NVD