Total CVEs

143,126

Critical Severity

4,045

High Severity

14,563

Last 7 Days

1,253
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 241 - 260 of 39,531 CVEs
CVE-2026-50813 MEDIUM - 6.1

An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path

Published: Jul 08, 2026
Source: NVD
CVE-2026-50812 MEDIUM - 5.5

A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to cause a denial of service. The issue occurs when sqlite3changeset_apply_v3() applies a corrupt changese...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14362 MEDIUM - 4.9

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixe...

Vendor: HashiCorp
Product: Shared library
Published: Jul 08, 2026
Source: NVD
CVE-2026-60102 HIGH - 8.8

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-contro...

Vendor: horde
Product: Vfs
Published: Jul 08, 2026
Source: NVD
CVE-2026-59930 MEDIUM - 4.3

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated ancho...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59929 MEDIUM - 6.1

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, ...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59928 HIGH - 7.5

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service throu...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59927 MEDIUM - 5.3

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionErr...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even ...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59925 HIGH - 7.5

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from eve...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59924 MEDIUM - 5.9

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory whe...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59923 MEDIUM - 6.1

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3....

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59922 HIGH - 7.5

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each ...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59897 MEDIUM - 4.8

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or a...

Vendor: honojs
Product: hono
Published: Jul 08, 2026
Source: NVD
CVE-2026-59896 MEDIUM - 6.5

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight re...

Vendor: honojs
Product: hono
Published: Jul 08, 2026
Source: NVD
CVE-2026-59895 MEDIUM - 6.1

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class a...

Vendor: honojs
Product: hono
Published: Jul 08, 2026
Source: NVD
CVE-2026-59892 HIGH - 7.5

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors, allowing an unauthenticated remote attacker to send a malformed ...

Vendor: open-telemetry
Product: opentelemetry-js
Published: Jul 08, 2026
Source: NVD
CVE-2026-59890 MEDIUM - 6.1

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode ...

Vendor: pypa
Product: setuptools
Published: Jul 08, 2026
Source: NVD
CVE-2026-59887 HIGH - 7.5

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user ...

Vendor: markdown-it
Product: linkify-it
Published: Jul 08, 2026
Source: NVD
CVE-2026-59883 MEDIUM - 4.7

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing c...

Vendor: guzzle
Product: guzzle
Published: Jul 08, 2026
Source: NVD