Total CVEs

143,745

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,562
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 761 - 780 of 1,590 CVEs

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize th...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves mislabeled nodes behind with...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces a...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior differs from GNU comm, w...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The dd utility in uutils coreutils suppresses errors during file truncation operations by unconditionally calling Result::ok() on truncation attempts. While intended to mimic GNU behavior for special files like /dev/null, the uutils implementation also hides failures on regular files and directories...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines th...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the curren...

Vendor: Uutils
Product: coreutils
Published: Apr 22, 2026
Source: NVD
CVE-2025-9957 LOW - 2.7

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper...

Vendor: gitlab
Product: gitlab
Published: Apr 22, 2026
Source: NVD

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supporte...

Vendor: pip
Product: poetry
Published: Apr 22, 2026
Source: GitHub

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

Vendor: PowerDNS
Product: DNSdist
Published: Apr 22, 2026
Source: NVD

PRSD detection denial of service

Vendor: PowerDNS
Product: DNSdist
Published: Apr 22, 2026
Source: NVD

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.

Vendor: PowerDNS
Product: DNSdist
Published: Apr 22, 2026
Source: NVD
CVE-2026-6842 LOW - 2.5

A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or in...

Published: Apr 22, 2026
Source: NVD

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expir...

Vendor: Spring
Product: Spring Security
Published: Apr 22, 2026
Source: NVD
CVE-2026-6416 LOW - 2.7

Tanium addressed an uncontrolled resource consumption vulnerability in Interact.

Published: Apr 22, 2026
Source: NVD
CVE-2026-6408 LOW - 2.7

Tanium addressed an information disclosure vulnerability in Tanium Server.

Published: Apr 22, 2026
Source: NVD
CVE-2026-6392 LOW - 2.7

Tanium addressed an information disclosure vulnerability in Threat Response.

Published: Apr 22, 2026
Source: NVD
CVE-2026-6830 LOW - 3.3

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and...

Published: Apr 21, 2026
Source: NVD

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...

Vendor: oracle
Product: vm_virtualbox
Published: Apr 21, 2026
Source: NVD

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...

Vendor: oracle
Product: vm_virtualbox
Published: Apr 21, 2026
Source: NVD