Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,618
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,101 - 11,120 of 37,942 CVEs
CVE-2026-46431 MEDIUM - 4.3

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is su...

Vendor: go
Product: github.com/xyproto/algernon
Published: May 20, 2026
Source: GitHub
CVE-2026-46430 MEDIUM - 4.3

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553&...

Vendor: go
Product: github.com/xyproto/algernon
Published: May 20, 2026
Source: GitHub

Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)

Vendor: npm
Product: @cap-js/sqlite
Published: May 20, 2026
Source: GitHub
CVE-2026-46420 MEDIUM - 5.6

Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Vendor: actions
Product: shivammathur/setup-php
Published: May 20, 2026
Source: GitHub
CVE-2026-45804 HIGH - 7.5

Diffusers: TOCTOU Trust Remote Code Bypass

Vendor: pip
Product: diffusers
Published: May 20, 2026
Source: GitHub

rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.32.0, RTK (Rust Token Killer) improperly trusts project-local configuration files. RTK automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An at...

Vendor: rust
Product: rtk
Published: May 20, 2026
Source: GitHub
CVE-2026-8485 MEDIUM - 5.9

Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

Vendor: progress
Product: moveit_automation
Published: May 20, 2026
Source: NVD

Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without valid...

Vendor: erlang
Product: phoenix_storybook
Published: May 20, 2026
Source: NVD

Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_ev...

Vendor: erlang
Product: phoenix_storybook
Published: May 20, 2026
Source: NVD

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe...

Vendor: phenixdigital
Product: phoenix_storybook
Published: May 20, 2026
Source: NVD
CVE-2026-24425 HIGH - 8.8

Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fa...

Vendor: twigphp
Product: Twig
Published: May 20, 2026
Source: NVD
CVE-2026-22554 HIGH - 7.8

MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability

Vendor: MediaArea
Product: MediaInfoLib
Published: May 20, 2026
Source: NVD
CVE-2026-21836 MEDIUM - 6.5

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.

Vendor: HCLSoftware
Product: DominoIQ
Published: May 20, 2026
Source: NVD
CVE-2026-5950 MEDIUM - 5.3

An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through ...

Vendor: isc
Product: bind
Published: May 20, 2026
Source: NVD
CVE-2026-5947 HIGH - 7.5

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during...

Vendor: isc
Product: bind
Published: May 20, 2026
Source: NVD
CVE-2026-5946 HIGH - 7.5

Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code pat...

Vendor: isc
Product: bind
Published: May 20, 2026
Source: NVD
CVE-2026-45584 HIGH - 8.1

Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

Vendor: microsoft
Product: malware_protection_engine
Published: May 20, 2026
Source: NVD
CVE-2026-45498 MEDIUM - 4.0

Microsoft Defender Denial of Service Vulnerability

Vendor: microsoft
Product: defender_antimalware_platform
Published: May 20, 2026
Source: NVD
CVE-2026-45443 MEDIUM - 5.0

Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.

Vendor: ADD-ONS.ORG
Product: PDF for Elementor Forms + Drag And Drop Template Builder
Published: May 20, 2026
Source: NVD
CVE-2026-42834 HIGH - 7.8

Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Vendor: microsoft
Product: windows_admin_center
Published: May 20, 2026
Source: NVD