Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,486
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,941 - 8,960 of 36,831 CVEs
CVE-2026-9607 MEDIUM - 6.3

A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public an...

Published: May 27, 2026
Source: NVD
CVE-2026-9606 HIGH - 7.3

A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be us...

Published: May 27, 2026
Source: NVD
CVE-2026-9605 HIGH - 7.3

A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be u...

Published: May 27, 2026
Source: NVD
CVE-2026-9312 HIGH - 8.2

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request par...

Vendor: github
Product: enterprise_server
Published: May 27, 2026
Source: NVD
CVE-2026-8606 MEDIUM - 5.9

A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measu...

Vendor: github
Product: enterprise_server
Published: May 27, 2026
Source: NVD
CVE-2026-44645 MEDIUM - 6.5

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as th...

Vendor: npm
Product: liquidjs
Published: May 27, 2026
Source: GitHub
CVE-2026-44644 MEDIUM - 6.1

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS...

Vendor: npm
Product: liquidjs
Published: May 27, 2026
Source: GitHub
CVE-2026-44632 CRITICAL - 9.1

Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`

Vendor: maven
Product: org.yamcs:yamcs-core
Published: May 27, 2026
Source: GitHub
CVE-2026-44596 MEDIUM - 6.5

Yamcs has No Rate Limiting on Authentication Endpoint

Vendor: maven
Product: org.yamcs:yamcs-core
Published: May 27, 2026
Source: GitHub
CVE-2026-44595 MEDIUM - 4.3

Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints

Vendor: maven
Product: org.yamcs:yamcs-core
Published: May 27, 2026
Source: GitHub
CVE-2026-44587 MEDIUM - 4.7

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/up...

Vendor: rubygems
Product: carrierwave
Published: May 27, 2026
Source: GitHub

Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations

Vendor: go
Product: github.com/kata-containers/kata-containers
Published: May 26, 2026
Source: GitHub

Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup

Vendor: composer
Product: getkirby/cms
Published: May 26, 2026
Source: GitHub

Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

Vendor: composer
Product: getkirby/cms
Published: May 26, 2026
Source: GitHub

Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend

Vendor: composer
Product: getkirby/cms
Published: May 26, 2026
Source: GitHub

Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints

Vendor: composer
Product: getkirby/cms
Published: May 26, 2026
Source: GitHub

FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass

Vendor: npm
Product: fuxa-server
Published: May 26, 2026
Source: GitHub

FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue

Vendor: npm
Product: fuxa-server
Published: May 26, 2026
Source: GitHub

FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection

Vendor: npm
Product: @frangoteam/fuxa
Published: May 26, 2026
Source: GitHub
CVE-2026-42568 MEDIUM - 4.3

Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13....

Vendor: maven
Product: org.yamcs:yamcs-core
Published: May 26, 2026
Source: GitHub