Total CVEs

143,701

Critical Severity

4,088

High Severity

14,745

Last 7 Days

1,535
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 601 - 620 of 1,584 CVEs
CVE-2026-8218 LOW - 2.4

A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the pu...

Published: May 10, 2026
Source: NVD

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN...

Vendor: GrapheneOS
Product: GrapheneOS
Published: May 09, 2026
Source: NVD
CVE-2026-8196 LOW - 3.7

A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint. This manipulation causes authorization bypass. The attack is...

Published: May 09, 2026
Source: NVD

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exp...

Vendor: npm
Product: hono
Published: May 09, 2026
Source: GitHub

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enable...

Vendor: Syslifters
Product: sysreptor
Published: May 08, 2026
Source: NVD

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab&qu...

Vendor: jgraph
Product: drawio
Published: May 08, 2026
Source: NVD

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher alw...

Vendor: go
Product: github.com/modelcontextprotocol/registry
Published: May 08, 2026
Source: GitHub

Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.6, 9.6.0.0 through 9.7.1.13, 9.8.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 contains an Insufficient Logging vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information ta...

Vendor: Dell
Product: PowerScale OneFS
Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD

In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

Vendor: OpenStack
Product: Ironic
Published: May 08, 2026
Source: NVD
CVE-2026-8136 LOW - 2.4

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may...

Published: May 08, 2026
Source: NVD
CVE-2026-8124 LOW - 3.3

A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The ...

Vendor: gpac
Product: gpac
Published: May 08, 2026
Source: NVD
CVE-2026-8119 LOW - 3.3

A vulnerability was detected in Open5GS up to 2.7.7. Impacted is the function ogs_sbi_stream_find_by_id in the library /lib/sbi/nghttp2-server.c of the component NSSF. Performing a manipulation results in denial of service. Attacking locally is a requirement. The exploit is now public and may be use...

Vendor: open5gs
Product: open5gs
Published: May 08, 2026
Source: NVD

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validati...

Vendor: npm
Product: nuxt-og-image
Published: May 07, 2026
Source: GitHub
CVE-2026-8088 LOW - 3.3

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick coo...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-8084 LOW - 3.3

A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD

Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD