Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
Showing 11,261 - 11,280 of 14,604 CVEs
CVE-2026-26312 MEDIUM - 6.5

Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested `message/rfc822` MIME parts via IMAP or JMAP causes excessive CPU and memory consumption,...

Vendor: stalwartlabs
Product: stalwart
Published: Feb 19, 2026
Source: NVD
CVE-2026-26282 MEDIUM - 6.6

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Ver...

Vendor: M2Team
Product: NanaZip
Published: Feb 19, 2026
Source: NVD

Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting t...

Vendor: npm
Product: pannellum
Published: Feb 19, 2026
Source: GitHub

Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that saf...

Vendor: pip
Product: werkzeug
Published: Feb 19, 2026
Source: GitHub
CVE-2026-27125 MEDIUM - 6.8

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has alrea...

Vendor: npm
Product: svelte
Published: Feb 19, 2026
Source: GitHub
CVE-2026-26203 MEDIUM - 6.5

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs uncheck...

Vendor: pjsip
Product: pjmedia-video
Published: Feb 19, 2026
Source: NVD
CVE-2026-27120 MEDIUM - 6.1

Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and ...

Vendor: swift
Product: leaf-kit
Published: Feb 19, 2026
Source: GitHub
CVE-2026-26963 MEDIUM - 6.1

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6.

Vendor: go
Product: github.com/cilium/cilium
Published: Feb 19, 2026
Source: GitHub
CVE-2026-27474 MEDIUM - 5.4

SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these el...

Vendor: SPIP
Product: SPIP
Published: Feb 19, 2026
Source: NVD
CVE-2026-27473 MEDIUM - 6.4

SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other...

Vendor: SPIP
Product: SPIP
Published: Feb 19, 2026
Source: NVD
CVE-2026-27472 MEDIUM - 4.3

SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrar...

Vendor: SPIP
Product: SPIP
Published: Feb 19, 2026
Source: NVD
CVE-2026-26059 MEDIUM - 5.4

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.

Vendor: ChurchCRM
Product: CRM
Published: Feb 19, 2026
Source: NVD
CVE-2026-23621 MEDIUM - 4.3

GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via t...

Vendor: GFI Software
Product: MailEssentials AI
Published: Feb 19, 2026
Source: NVD
CVE-2026-2817 MEDIUM - 4.4

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache...

Published: Feb 19, 2026
Source: NVD
CVE-2026-2243 MEDIUM - 5.1

A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

Published: Feb 19, 2026
Source: NVD
CVE-2026-26338 MEDIUM - 6.5

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.

Vendor: Hyland
Product: Alfresco Transformation Service (Enterprise), Alfresco Community (Transform Core)
Published: Feb 19, 2026
Source: NVD
CVE-2026-23620 MEDIUM - 4.3

GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON k...

Vendor: GFI Software
Product: MailEssentials AI
Published: Feb 19, 2026
Source: NVD
CVE-2026-23619 MEDIUM - 5.4

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter to /MailEssentials/pages/MailSecurity/general.aspx, whic...

Vendor: GFI Software
Product: MailEssentials AI
Published: Feb 19, 2026
Source: NVD
CVE-2026-23618 MEDIUM - 5.4

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition parameter to /MailEssentials/...

Vendor: GFI Software
Product: MailEssentials AI
Published: Feb 19, 2026
Source: NVD
CVE-2026-23617 MEDIUM - 5.4

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Body) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvGeneral$TXB_Condition parameter to /MailEssentials/pages/Mail...

Vendor: GFI Software
Product: MailEssentials AI
Published: Feb 19, 2026
Source: NVD