Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,576
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,261 - 11,280 of 37,942 CVEs
CVE-2026-46377 HIGH - 7.5

Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string

Vendor: go
Product: github.com/tomwright/dasel/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45783 HIGH - 7.5

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No ...

Vendor: npm
Product: @libp2p/kad-dht
Published: May 19, 2026
Source: GitHub
CVE-2026-46354 CRITICAL - 9.1

Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Vendor: go
Product: github.com/coder/coder/v2
Published: May 19, 2026
Source: GitHub

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body...

Vendor: npm
Product: nuxt
Published: May 19, 2026
Source: GitHub
CVE-2026-46338 MEDIUM - 4.3

Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path

Vendor: pip
Product: pymdown-extensions
Published: May 19, 2026
Source: GitHub
CVE-2026-45805 HIGH - 8.8

PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint โ€” RCE

Vendor: npm
Product: @penpot/mcp
Published: May 19, 2026
Source: GitHub

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out....

Vendor: composer
Product: setasign/fpdi
Published: May 19, 2026
Source: GitHub
CVE-2026-45799 HIGH - 7.5

Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service

Vendor: maven
Product: com.squareup.wire:wire-runtime-jvm
Published: May 19, 2026
Source: GitHub
CVE-2026-45796 MEDIUM - 6.5

Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint

Vendor: go
Product: github.com/coder/coder/v2
Published: May 19, 2026
Source: GitHub
CVE-2026-46357 MEDIUM - 6.5

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire applicatio...

Vendor: npm
Product: @haxtheweb/haxcms-nodejs
Published: May 19, 2026
Source: GitHub
CVE-2026-45785 MEDIUM - 6.2

OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle

Vendor: nuget
Product: OpenMcdf
Published: May 19, 2026
Source: GitHub

rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers

Vendor: rust
Product: openssl
Published: May 19, 2026
Source: GitHub
CVE-2026-46339 CRITICAL - 10.0

9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

Vendor: npm
Product: 9router
Published: May 19, 2026
Source: GitHub
CVE-2026-45695 CRITICAL - 9.8

Kopia: RCE via SSH ProxyCommand Injection

Vendor: go
Product: github.com/kopia/kopia
Published: May 19, 2026
Source: GitHub

Execution with unnecessary privileges vulnerability in Broadcom Automic Automation Agent Unix on Linux x64, Linux Power 64 BE, Linux Power 64 LE, zLinux (zSeries), AIX, Solaris x64, Solaris Sparc 64 allows Privilege Escalation, Target Programs with Elevated Privileges. This issue affects Automic Au...

Published: May 19, 2026
Source: NVD
CVE-2026-8096 MEDIUM - 6.5

The Kirki โ€“ Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for auth...

Published: May 19, 2026
Source: NVD
CVE-2026-8073 HIGH - 7.5

The Kirki โ€“ Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it p...

Published: May 19, 2026
Source: NVD
CVE-2026-41470 MEDIUM - 5.9

LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connectio...

Vendor: Live Networks, Inc.
Product: LIVE555
Published: May 19, 2026
Source: NVD

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions ...

Vendor: discourse
Product: discourse
Published: May 19, 2026
Source: NVD
CVE-2026-33741 MEDIUM - 6.8

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry poin...

Vendor: espocrm
Product: espocrm
Published: May 19, 2026
Source: NVD