Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,592
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,301 - 11,320 of 37,942 CVEs
CVE-2026-46424 MEDIUM - 4.2

Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user iden...

Vendor: npm
Product: @budibase/backend-core
Published: May 19, 2026
Source: GitHub
CVE-2026-46337 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploade...

Vendor: composer
Product: WWBN/AVideo
Published: May 19, 2026
Source: GitHub
CVE-2026-45793 HIGH - 7.5

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Vendor: composer
Product: composer/composer
Published: May 19, 2026
Source: GitHub
CVE-2026-8706 MEDIUM - 6.5

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.

Vendor: mozilla
Product: firefox
Published: May 19, 2026
Source: NVD
CVE-2026-5804 HIGH - 8.4

An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing ...

Published: May 19, 2026
Source: NVD
CVE-2026-37281 CRITICAL - 9.8

An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter.

Published: May 19, 2026
Source: NVD
CVE-2026-31072 CRITICAL - 9.8

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

Published: May 19, 2026
Source: NVD
CVE-2026-31071 CRITICAL - 9.1

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescrip...

Published: May 19, 2026
Source: NVD
CVE-2026-31070 CRITICAL - 9.8

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

Published: May 19, 2026
Source: NVD
CVE-2026-31069 HIGH - 8.8

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although fi...

Published: May 19, 2026
Source: NVD
CVE-2026-30118 CRITICAL - 9.8

scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentica...

Published: May 19, 2026
Source: NVD
CVE-2026-30117 CRITICAL - 9.8

scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.

Published: May 19, 2026
Source: NVD

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token&...

Vendor: pip
Product: strawberry-graphql
Published: May 19, 2026
Source: GitHub
CVE-2026-45738 HIGH - 7.3

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Vendor: go
Product: github.com/argoproj/argo-cd/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45737 MEDIUM - 6.3

Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

Vendor: go
Product: github.com/argoproj/argo-cd/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45713 HIGH - 7.5

Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45712 MEDIUM - 5.9

Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45711 MEDIUM - 5.9

Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45709 MEDIUM - 5.8

Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45692 MEDIUM - 5.4

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config...

Vendor: go
Product: github.com/caddyserver/caddy/v2
Published: May 19, 2026
Source: GitHub