Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,313
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 24,421 - 24,440 of 42,148 CVEs
CVE-2026-32288 MEDIUM - 5.5

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Vendor: Go standard library
Product: archive/tar
Published: Apr 08, 2026
Source: NVD
CVE-2026-32283 HIGH - 7.5

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Vendor: Go standard library
Product: crypto/tls
Published: Apr 08, 2026
Source: NVD
CVE-2026-32282 MEDIUM - 6.4

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to av...

Vendor: Go standard library
Product: internal/syscall/unix
Published: Apr 08, 2026
Source: NVD
CVE-2026-32281 HIGH - 7.5

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptio...

Vendor: Go standard library
Product: crypto/x509
Published: Apr 08, 2026
Source: NVD
CVE-2026-32280 HIGH - 7.5

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Vendor: Go standard library
Product: crypto/x509
Published: Apr 08, 2026
Source: NVD
CVE-2026-27144 HIGH - 7.1

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

Vendor: Go toolchain
Product: cmd/compile
Published: Apr 08, 2026
Source: NVD
CVE-2026-27143 CRITICAL - 9.8

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

Vendor: Go toolchain
Product: cmd/compile
Published: Apr 08, 2026
Source: NVD
CVE-2026-27140 HIGH - 8.8

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Vendor: Go toolchain
Product: cmd/go
Published: Apr 08, 2026
Source: NVD
CVE-2025-14732 MEDIUM - 6.4

The Elementor Website Builder โ€“ More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authentica...

Vendor: elemntor
Product: Elementor Website Builder โ€“ more than just a page builder
Published: Apr 08, 2026
Source: NVD
CVE-2026-4788 HIGH - 8.4

IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user.

Vendor: ibm
Product: tivoli_netcool\/impact
Published: Apr 08, 2026
Source: NVD
CVE-2026-3357 HIGH - 8.8

IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

Vendor: langflow
Product: langflow
Published: Apr 08, 2026
Source: NVD
CVE-2026-1346 CRITICAL - 9.3

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to roo...

Vendor: ibm
Product: security_verify_access
Published: Apr 08, 2026
Source: NVD
CVE-2026-1343 HIGH - 7.2

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are pr...

Vendor: ibm
Product: security_verify_access
Published: Apr 08, 2026
Source: NVD
CVE-2026-39413 MEDIUM - 4.2

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly ...

Vendor: pip
Product: lightrag-hku
Published: Apr 08, 2026
Source: GitHub
CVE-2026-39410 MEDIUM - 4.8

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the...

Vendor: npm
Product: hono
Published: Apr 08, 2026
Source: GitHub

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

Vendor: npm
Product: hono
Published: Apr 08, 2026
Source: GitHub
CVE-2026-39408 MEDIUM - 7.5

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially cra...

Vendor: npm
Product: hono
Published: Apr 08, 2026
Source: GitHub
CVE-2026-39407 MEDIUM - 5.3

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used f...

Vendor: npm
Product: hono
Published: Apr 08, 2026
Source: GitHub
CVE-2026-39406 MEDIUM - 5.3

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, th...

Vendor: npm
Product: @hono/node-server
Published: Apr 08, 2026
Source: GitHub

openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools

Vendor: npm
Product: openclaw-claude-bridge
Published: Apr 08, 2026
Source: GitHub