Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,743
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 11,821 - 11,840 of 38,432 CVEs
CVE-2026-44159 CRITICAL - 9.8

Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.

Vendor: Tyler Technologies
Product: TID-L
Published: May 19, 2026
Source: NVD
CVE-2026-43634 HIGH - 7.5

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's ...

Vendor: hestiacp
Product: hestiacp
Published: May 19, 2026
Source: NVD
CVE-2026-34883 MEDIUM - 5.3

An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to ...

Published: May 19, 2026
Source: NVD
CVE-2026-2587 CRITICAL - 9.6

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processe...

Vendor: eclipse
Product: glassfish
Published: May 19, 2026
Source: NVD
CVE-2026-2586 CRITICAL - 9.1

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

Vendor: eclipse
Product: glassfish
Published: May 19, 2026
Source: NVD
CVE-2025-70950 HIGH - 7.3

An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request.

Published: May 19, 2026
Source: NVD
CVE-2025-51427 HIGH - 7.3

An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module'].

Published: May 19, 2026
Source: NVD

rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths

Vendor: pip
Product: zrok
Published: May 19, 2026
Source: GitHub

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. T...

Vendor: npm
Product: @haxtheweb/haxcms-nodejs
Published: May 19, 2026
Source: GitHub

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed wh...

Vendor: npm
Product: @haxtheweb/haxcms-nodejs
Published: May 19, 2026
Source: GitHub

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing k...

Vendor: npm
Product: @haxtheweb/haxcms-nodejs
Published: May 19, 2026
Source: GitHub

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched...

Vendor: npm
Product: @haxtheweb/open-apis
Published: May 19, 2026
Source: GitHub

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are...

Vendor: npm
Product: @haxtheweb/haxcms-nodejs
Published: May 19, 2026
Source: GitHub

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling...

Vendor: npm
Product: @haxtheweb/haxcms-nodejs
Published: May 19, 2026
Source: GitHub
CVE-2026-45721 CRITICAL - 9.0

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as t...

Vendor: go
Product: github.com/xyproto/algernon
Published: May 19, 2026
Source: GitHub
CVE-2026-45728 HIGH - 7.5

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response ...

Vendor: go
Product: github.com/xyproto/algernon
Published: May 19, 2026
Source: GitHub

Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"`...

Vendor: pip
Product: idna
Published: May 19, 2026
Source: GitHub
CVE-2026-8975 CRITICAL - 9.8

Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR...

Vendor: mozilla
Product: firefox
Published: May 19, 2026
Source: NVD
CVE-2026-8974 CRITICAL - 9.8

Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunder...

Vendor: mozilla
Product: firefox
Published: May 19, 2026
Source: NVD
CVE-2026-8973 CRITICAL - 9.8

Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Vendor: mozilla
Product: firefox
Published: May 19, 2026
Source: NVD