Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,302
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 321 - 340 of 39,613 CVEs

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.0, an attacker can craft a PDF with declared image size values that are much too large compared to the actual data, causing large memory usage in pypdf image parsing. This issue is fixed in version 6.14.0.

Vendor: py-pdf
Product: pypdf
Published: Jul 08, 2026
Source: NVD

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.0, an attacker can craft a PDF with repeated malformed cross-reference streams that cause pypdf to spend long runtimes recovering broken cross-reference table entries. This issue is fixed in version 6.14.0.

Vendor: py-pdf
Product: pypdf
Published: Jul 08, 2026
Source: NVD
CVE-2026-50813 MEDIUM - 6.1

An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path

Published: Jul 08, 2026
Source: NVD
CVE-2026-50812 MEDIUM - 5.5

A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to cause a denial of service. The issue occurs when sqlite3changeset_apply_v3() applies a corrupt changese...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14362 MEDIUM - 4.9

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixe...

Vendor: HashiCorp
Product: Shared library
Published: Jul 08, 2026
Source: NVD
CVE-2026-60102 HIGH - 8.8

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-contro...

Vendor: horde
Product: Vfs
Published: Jul 08, 2026
Source: NVD
CVE-2026-59930 MEDIUM - 4.3

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated ancho...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59929 MEDIUM - 6.1

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, ...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59928 HIGH - 7.5

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service throu...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59927 MEDIUM - 5.3

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionErr...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even ...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59925 HIGH - 7.5

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from eve...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59924 MEDIUM - 5.9

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory whe...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59923 MEDIUM - 6.1

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3....

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59922 HIGH - 7.5

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each ...

Vendor: lepture
Product: mistune
Published: Jul 08, 2026
Source: NVD
CVE-2026-59897 MEDIUM - 4.8

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or a...

Vendor: honojs
Product: hono
Published: Jul 08, 2026
Source: NVD
CVE-2026-59896 MEDIUM - 6.5

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight re...

Vendor: honojs
Product: hono
Published: Jul 08, 2026
Source: NVD
CVE-2026-59895 MEDIUM - 6.1

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class a...

Vendor: honojs
Product: hono
Published: Jul 08, 2026
Source: NVD
CVE-2026-59892 HIGH - 7.5

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors, allowing an unauthenticated remote attacker to send a malformed ...

Vendor: open-telemetry
Product: opentelemetry-js
Published: Jul 08, 2026
Source: NVD
CVE-2026-59890 MEDIUM - 6.1

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode ...

Vendor: pypa
Product: setuptools
Published: Jul 08, 2026
Source: NVD