Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,541
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 1,001 - 1,020 of 1,590 CVEs

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bou...

Vendor: go
Product: github.com/go-git/go-git/v5
Published: Mar 30, 2026
Source: GitHub
CVE-2026-5123 LOW - 3.7

A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploita...

Vendor: osrg
Product: gobgp
Published: Mar 30, 2026
Source: NVD
CVE-2026-5122 LOW - 3.7

A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiat...

Published: Mar 30, 2026
Source: NVD

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby attackers to read beyond packet boundaries. Attackers can establish ...

Vendor: BlueKitchen GmbH
Product: BTstack
Published: Mar 30, 2026
Source: NVD

BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES handlers that allows attackers to read beyond buffer boundaries. A nearby attacker with a paired Bluet...

Vendor: BlueKitchen GmbH
Product: BTstack
Published: Mar 30, 2026
Source: NVD
CVE-2026-5106 LOW - 2.4

A flaw has been found in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_fst.php. Executing a manipulation of the argument sname can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publishe...

Vendor: code-projects
Product: exam_form_submission
Published: Mar 30, 2026
Source: NVD

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticate...

Vendor: npm
Product: parse-server
Published: Mar 29, 2026
Source: GitHub
CVE-2026-5037 LOW - 3.3

A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has ...

Published: Mar 29, 2026
Source: NVD
CVE-2026-4995 LOW - 3.5

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. Th...

Published: Mar 28, 2026
Source: NVD
CVE-2026-4994 LOW - 3.5

A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the loc...

Published: Mar 28, 2026
Source: NVD
CVE-2026-4993 LOW - 3.3

A vulnerability has been found in wandb OpenUI up to 0.0.0.0/1.0. This impacts an unknown function of the file backend/openui/config.py. The manipulation of the argument LITELLM_MASTER_KEY leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the ...

Published: Mar 28, 2026
Source: NVD
CVE-2026-4991 LOW - 3.5

A vulnerability was detected in QDOCS Smart School Management System up to 7.2. The impacted element is an unknown function of the file /admin/enquiry of the component Admission Enquiry Module. Performing a manipulation of the argument Note results in cross site scripting. The attack is possible to ...

Published: Mar 27, 2026
Source: NVD
CVE-2026-4988 LOW - 3.7

A security flaw has been discovered in Open5GS 2.7.6. This issue affects the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b of the component CCA Message Handler. The manipulation results in denial of service. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitab...

Vendor: open5gs
Product: open5gs
Published: Mar 27, 2026
Source: NVD
CVE-2026-4973 LOW - 3.5

A vulnerability was detected in SourceCodester Online Quiz System up to 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation of the argument quiz_question results in cross site scripting. It is possible to initiate the attac...

Published: Mar 27, 2026
Source: NVD
CVE-2026-4972 LOW - 2.4

A security vulnerability has been detected in code-projects Online Reviewer System up to 1.0. Affected is an unknown function of the file /system/system/students/assessments/databank/btn_functions.php. Such manipulation of the argument Description leads to cross site scripting. The attack may be per...

Published: Mar 27, 2026
Source: NVD

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scriptin...

Vendor: home-assistant
Product: core
Published: Mar 27, 2026
Source: NVD

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a d...

Vendor: home-assistant
Product: core
Published: Mar 27, 2026
Source: NVD

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptogr...

Vendor: pip
Product: cryptography
Published: Mar 27, 2026
Source: GitHub
CVE-2026-4969 LOW - 3.5

A vulnerability was identified in code-projects Social Networking Site 1.0. The impacted element is an unknown function of the file /home.php of the component Alert Handler. The manipulation of the argument content leads to cross site scripting. Remote exploitation of the attack is possible. The exp...

Published: Mar 27, 2026
Source: NVD
CVE-2026-4958 LOW - 3.1

A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interaction_id leads to authorization by...

Published: Mar 27, 2026
Source: NVD