Total CVEs

143,744

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,576
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 621 - 640 of 1,590 CVEs

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validati...

Vendor: npm
Product: nuxt-og-image
Published: May 07, 2026
Source: GitHub
CVE-2026-8088 LOW - 3.3

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick coo...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-8084 LOW - 3.3

A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD

Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user withou...

Vendor: go
Product: go.etcd.io/etcd/v3
Published: May 07, 2026
Source: GitHub

Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 ยง6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, an...

Vendor: go
Product: github.com/free5gc/amf
Published: May 07, 2026
Source: GitHub

Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

Vendor: torproject
Product: Tor
Published: May 07, 2026
Source: NVD

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.hea...

Vendor: maven
Product: io.netty:netty-handler-proxy
Published: May 07, 2026
Source: GitHub

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is f...

Vendor: pip
Product: magic-wormhole
Published: May 06, 2026
Source: GitHub

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ...

Vendor: maven
Product: io.micronaut:micronaut-inject
Published: May 06, 2026
Source: GitHub
CVE-2026-8022 LOW - 3.1

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)

Vendor: google
Product: chrome
Published: May 06, 2026
Source: NVD
CVE-2026-8017 LOW - 3.1

Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

Vendor: google
Product: chrome
Published: May 06, 2026
Source: NVD
CVE-2026-7968 LOW - 3.1

Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: May 06, 2026
Source: NVD
CVE-2026-7966 LOW - 3.1

Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: May 06, 2026
Source: NVD
CVE-2026-7965 LOW - 3.1

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: May 06, 2026
Source: NVD