Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,743
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,781 - 11,800 of 38,432 CVEs
CVE-2025-61081 HIGH - 7.5

In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.

Published: May 19, 2026
Source: NVD

In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.  An authenticated attacker with administrative privileges could exploit this issue to confirm the pre...

Published: May 19, 2026
Source: NVD
CVE-2026-47358 HIGH - 7.5

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates vi...

Vendor: tenable
Product: Terrascan
Published: May 19, 2026
Source: NVD
CVE-2026-47357 HIGH - 7.5

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled ...

Vendor: tenable
Product: Terrascan
Published: May 19, 2026
Source: NVD
CVE-2026-47356 HIGH - 7.5

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_ur...

Vendor: tenable
Product: Terrascan
Published: May 19, 2026
Source: NVD
CVE-2026-36829 CRITICAL - 9.8

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypas...

Published: May 19, 2026
Source: NVD
CVE-2026-36828 HIGH - 8.8

A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.

Published: May 19, 2026
Source: NVD
CVE-2026-36827 MEDIUM - 5.4

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when...

Published: May 19, 2026
Source: NVD
CVE-2026-46341 MEDIUM - 6.1

Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

Vendor: npm
Product: @apify/actors-mcp-server
Published: May 19, 2026
Source: GitHub
CVE-2026-46426 HIGH - 7.6

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser ...

Vendor: npm
Product: budibase
Published: May 19, 2026
Source: GitHub
CVE-2026-46424 MEDIUM - 4.2

Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user iden...

Vendor: npm
Product: @budibase/backend-core
Published: May 19, 2026
Source: GitHub
CVE-2026-46337 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploade...

Vendor: composer
Product: WWBN/AVideo
Published: May 19, 2026
Source: GitHub
CVE-2026-45793 HIGH - 7.5

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Vendor: composer
Product: composer/composer
Published: May 19, 2026
Source: GitHub
CVE-2026-8706 MEDIUM - 6.5

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.

Vendor: mozilla
Product: firefox
Published: May 19, 2026
Source: NVD
CVE-2026-5804 HIGH - 8.4

An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing ...

Published: May 19, 2026
Source: NVD
CVE-2026-37281 CRITICAL - 9.8

An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter.

Published: May 19, 2026
Source: NVD
CVE-2026-31072 CRITICAL - 9.8

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

Published: May 19, 2026
Source: NVD
CVE-2026-31071 CRITICAL - 9.1

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescrip...

Published: May 19, 2026
Source: NVD
CVE-2026-31070 CRITICAL - 9.8

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

Published: May 19, 2026
Source: NVD
CVE-2026-31069 HIGH - 8.8

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although fi...

Published: May 19, 2026
Source: NVD