Total CVEs

143,701

Critical Severity

4,088

High Severity

14,745

Last 7 Days

1,536
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 561 - 580 of 1,584 CVEs

Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session. This issue affects Symmetric Key Agreement Platform: before 26.03.

Vendor: Arqit
Product: Symmetric Key Agreement Platform
Published: May 13, 2026
Source: NVD

Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access.

Vendor: Zoom Communications
Product: Zoom Workplace
Published: May 13, 2026
Source: NVD
CVE-2026-8200 LOW - 2.7

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.  This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 ve...

Vendor: mongodb
Product: mongodb
Published: May 13, 2026
Source: NVD

Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encryp...

Vendor: npm
Product: astro
Published: May 13, 2026
Source: GitHub

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPaths recurses into subdirectories without any depth limit or visited-inode tracking. A crafted UFS imag...

Vendor: M2Team
Product: NanaZip
Published: May 12, 2026
Source: NVD

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists in the littlefs filesystem image parser in NanaZip. The handler's Open method reads BlockCount directly from the attacker-controlled superblock without any validation against t...

Vendor: M2Team
Product: NanaZip
Published: May 12, 2026
Source: NVD

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to z...

Vendor: M2Team
Product: NanaZip
Published: May 12, 2026
Source: NVD

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDI...

Vendor: M2Team
Product: NanaZip
Published: May 12, 2026
Source: NVD

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's Ge...

Vendor: M2Team
Product: NanaZip
Published: May 12, 2026
Source: NVD

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an ...

Vendor: Adobe
Product: Adobe Commerce
Published: May 12, 2026
Source: NVD

A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via <insert attack vector here>

Vendor: Fortinet
Product: FortiClientWindows
Published: May 12, 2026
Source: NVD

Unchecked return value for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may...

Vendor: intel
Product: Intel(R) QAT software drivers for Windows
Published: May 12, 2026
Source: NVD

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fi...

Vendor: Open-Xchange GmbH
Product: OX Dovecot Pro
Published: May 12, 2026
Source: NVD

The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.

Vendor: Hikvision
Product: Hik-Connect APP
Published: May 12, 2026
Source: NVD

The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, the...

Vendor: Chitora soft
Product: Lhaz, Lhaz+
Published: May 12, 2026
Source: NVD

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality...

Vendor: SAP_SE
Product: SAP HANA Deployment Infrastructure (HDI) deploy library
Published: May 12, 2026
Source: NVD

Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

Vendor: Sangoma
Product: Switchvox
Published: May 12, 2026
Source: NVD

An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.

Vendor: Apple
Product: iOS and iPadOS, visionOS
Published: May 11, 2026
Source: NVD

This issue was addressed with improved permissions checking. This issue is fixed in macOS Tahoe 26.4. A malicious app may be able to access arbitrary files.

Vendor: Apple
Product: macOS
Published: May 11, 2026
Source: NVD