Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 10,761 - 10,780 of 14,221 CVEs
CVE-2026-28421 MEDIUM - 5.3

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the ...

Vendor: vim
Product: vim
Published: Feb 27, 2026
Source: NVD
CVE-2026-28420 MEDIUM - 4.4

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

Vendor: vim
Product: vim
Published: Feb 27, 2026
Source: NVD
CVE-2026-28419 MEDIUM - 5.3

Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately precedin...

Vendor: vim
Product: vim
Published: Feb 27, 2026
Source: NVD
CVE-2026-28418 MEDIUM - 4.4

Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory bound...

Vendor: vim
Product: vim
Published: Feb 27, 2026
Source: NVD
CVE-2026-28417 MEDIUM - 4.4

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell comm...

Vendor: vim
Product: vim
Published: Feb 27, 2026
Source: NVD
CVE-2026-28415 MEDIUM - 4.3

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/call...

Vendor: gradio-app
Product: gradio
Published: Feb 27, 2026
Source: NVD
CVE-2026-28407 MEDIUM - 5.3

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives ...

Vendor: chainguard-dev
Product: malcontent
Published: Feb 27, 2026
Source: NVD
CVE-2026-28352 MEDIUM - 6.5

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is ...

Vendor: indico
Product: indico
Published: Feb 27, 2026
Source: NVD
CVE-2026-28351 MEDIUM - 5.3

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, ...

Vendor: py-pdf
Product: pypdf
Published: Feb 27, 2026
Source: NVD
CVE-2026-28338 MEDIUM - 6.8

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report co...

Vendor: pmd
Product: pmd
Published: Feb 27, 2026
Source: NVD
CVE-2026-28271 MEDIUM - 6.5

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration functionality allows bypassing of SSRF protections through DNS rebinding attacks. Malicious administrators could exploit this to access internal services that should be restricted. Version 9...

Vendor: kiteworks
Product: security-advisories
Published: Feb 27, 2026
Source: NVD
CVE-2026-28270 MEDIUM - 4.9

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for...

Vendor: kiteworks
Product: security-advisories
Published: Feb 27, 2026
Source: NVD
CVE-2018-25160 MEDIUM - 6.5

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject m...

Vendor: TOKUHIROM
Product: HTTP::Session2
Published: Feb 27, 2026
Source: NVD
CVE-2026-3255 MEDIUM - 6.5

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epo...

Vendor: tokuhirom
Product: http\
Published: Feb 27, 2026
Source: NVD
CVE-2026-28354 MEDIUM - 6.5

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item (/actions/add_to_collection.php) due to mis...

Vendor: MacWarrior
Product: clipbucket-v5
Published: Feb 27, 2026
Source: NVD
CVE-2026-27824 MEDIUM - 5.3

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For`...

Vendor: kovidgoyal
Product: calibre
Published: Feb 27, 2026
Source: NVD
CVE-2026-27810 MEDIUM - 6.4

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsan...

Vendor: kovidgoyal
Product: calibre
Published: Feb 27, 2026
Source: NVD
CVE-2026-27793 MEDIUM - 6.5

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of ...

Vendor: seerr-team
Product: seerr
Published: Feb 27, 2026
Source: NVD
CVE-2026-27792 MEDIUM - 5.4

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other user...

Vendor: seerr-team
Product: seerr
Published: Feb 27, 2026
Source: NVD
CVE-2026-27734 MEDIUM - 6.5

Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker En...

Vendor: henrygd
Product: beszel
Published: Feb 27, 2026
Source: NVD