Total CVEs

143,745

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,554
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 741 - 760 of 1,590 CVEs

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Client Balance component

Published: Apr 24, 2026
Source: NVD

OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables ...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows ac...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD

OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute for...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-2708 LOW - 3.7

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an ...

Published: Apr 23, 2026
Source: NVD

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to fo...

Vendor: npm
Product: @astrojs/cloudflare
Published: Apr 23, 2026
Source: GitHub
CVE-2026-4512 LOW - 3.5

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to in...

Published: Apr 23, 2026
Source: NVD

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.

Vendor: uuidjs
Product: uuid
Published: Apr 23, 2026
Source: NVD
CVE-2026-1272 LOW - 2.7

IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.

Vendor: ibm
Product: guardium_data_protection
Published: Apr 23, 2026
Source: NVD

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions...

Vendor: rust
Product: openssl
Published: Apr 22, 2026
Source: GitHub

nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derive...

Vendor: nimiq
Product: nimiq-transaction
Published: Apr 22, 2026
Source: NVD
CVE-2026-3254 LOW - 3.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD

A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized newline-del...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class, effectively reversing t...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR (|) and AND (&) oper...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quotes are treated literally (with the exceptions of \\ and \'). However, the uutils implementation ...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8 r...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation en...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in m...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the ...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD