Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,599
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,241 - 11,260 of 37,942 CVEs
CVE-2023-7345 MEDIUM - 6.5

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtai...

Published: May 19, 2026
Source: NVD
CVE-2026-39250 HIGH - 7.3

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.

Published: May 19, 2026
Source: NVD
CVE-2026-34233 MEDIUM - 6.5

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. ...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD
CVE-2026-34216 MEDIUM - 6.6

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist ...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD
CVE-2026-32882 HIGH - 7.1

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color c...

Vendor: strukturag
Product: libheif
Published: May 19, 2026
Source: NVD
CVE-2026-32814 MEDIUM - 6.5

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitializ...

Vendor: strukturag
Product: libheif
Published: May 19, 2026
Source: NVD
CVE-2026-32741 HIGH - 7.1

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, d...

Vendor: strukturag
Product: libheif
Published: May 19, 2026
Source: NVD
CVE-2025-57798 MEDIUM - 5.5

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out...

Vendor: laurent22
Product: joplin
Published: May 19, 2026
Source: NVD
CVE-2026-46417 HIGH - 6.1

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how ...

Vendor: npm
Product: @angular/platform-server
Published: May 19, 2026
Source: GitHub
CVE-2026-46415 HIGH - 8.2

Caddy Defender trusted proxy client IP bypass

Vendor: go
Product: pkg.jsn.cam/caddy-defender
Published: May 19, 2026
Source: GitHub
CVE-2026-46412 CRITICAL - 10.0

Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) โ€” Mini Shai-Hulud worm

Vendor: npm
Product: @beproduct/nestjs-auth
Published: May 19, 2026
Source: GitHub
CVE-2026-42526 MEDIUM - 5.3

In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had...

Vendor: Apache Software Foundation
Product: Apache Airflow Amazon provider
Published: May 19, 2026
Source: NVD
CVE-2026-32740 HIGH - 8.8

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting...

Vendor: strukturag
Product: libheif
Published: May 19, 2026
Source: NVD
CVE-2026-32739 MEDIUM - 6.5

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout a...

Vendor: strukturag
Product: libheif
Published: May 19, 2026
Source: NVD
CVE-2026-27173 HIGH - 8.7

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Ai...

Vendor: Apache Software Foundation
Product: Apache Airflow CNCF Kubernetes provider
Published: May 19, 2026
Source: NVD

FileBrowser Quantum: unauthenticated user share share info

Vendor: go
Product: github.com/gtsteffaniak/filebrowser/backend
Published: May 19, 2026
Source: GitHub
CVE-2026-46374 HIGH - 7.5

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to tri...

Vendor: pip
Product: sqlfluff
Published: May 19, 2026
Source: GitHub
CVE-2026-46373 HIGH - 7.5

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any applic...

Vendor: pip
Product: sqlfluff
Published: May 19, 2026
Source: GitHub
CVE-2026-46372 HIGH - 8.5

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it direc...

Vendor: npm
Product: sillytavern
Published: May 19, 2026
Source: GitHub
CVE-2026-46378 HIGH - 7.5

Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal

Vendor: go
Product: github.com/tomwright/dasel/v3
Published: May 19, 2026
Source: GitHub