Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,821 - 11,840 of 37,697 CVEs

Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.

Vendor: pip
Product: ethyca-fides
Published: May 14, 2026
Source: GitHub
CVE-2026-45011 HIGH - 7.3

ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to pub...

Vendor: npm
Product: apostrophe
Published: May 14, 2026
Source: GitHub
CVE-2026-45013 HIGH - 8.1

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly config...

Vendor: npm
Product: apostrophe
Published: May 14, 2026
Source: GitHub
CVE-2026-45012 HIGH - 7.6

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch att...

Vendor: npm
Product: apostrophe
Published: May 14, 2026
Source: GitHub
CVE-2026-44990 CRITICAL - 9.3

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML o...

Vendor: npm
Product: sanitize-html
Published: May 14, 2026
Source: GitHub
CVE-2026-44973 HIGH - 8.1

Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was ...

Vendor: go
Product: github.com/go-git/go-billy/v5
Published: May 14, 2026
Source: GitHub

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Vendor: pip
Product: dbt-mcp
Published: May 14, 2026
Source: GitHub

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Vendor: pip
Product: dbt-mcp
Published: May 14, 2026
Source: GitHub
CVE-2026-44968 MEDIUM - 6.3

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Vendor: pip
Product: dbt-mcp
Published: May 14, 2026
Source: GitHub

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.

Published: May 14, 2026
Source: NVD
CVE-2026-46470 MEDIUM - 4.0

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.

Vendor: GStreamer
Product: Good Plug-ins
Published: May 14, 2026
Source: NVD
CVE-2026-46469 MEDIUM - 4.0

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.

Vendor: GStreamer
Product: Good Plug-ins
Published: May 14, 2026
Source: NVD
CVE-2026-42897 HIGH - 8.1

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: exchange_server
Published: May 14, 2026
Source: NVD

Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible to request paths such as http://localhost:8080/c:/Windows/System32/drivers/etc/hosts and have the cont...

Vendor: Badgerati
Product: Pode
Published: May 14, 2026
Source: NVD
CVE-2026-41615 CRITICAL - 9.6

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: authenticator
Published: May 14, 2026
Source: NVD
CVE-2025-15024 HIGH - 8.8

Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Remote Code Inclusion. This issue affects Library Automation System: from v.19.5 be...

Vendor: Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.
Product: Library Automation System
Published: May 14, 2026
Source: NVD
CVE-2025-15023 HIGH - 8.8

Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Library Automation System: from v.19.5 bef...

Vendor: Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.
Product: Library Automation System
Published: May 14, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-3258. Reason: This candidate is a reservation duplicate of CVE-2026-3258. Notes: All CVE users should reference CVE-2026-3258instead of this candidate. All references and descriptions in this candidate have been rem...

Published: May 14, 2026
Source: NVD
CVE-2026-6923 LOW - 3.8

A side-channel attack, which requires a physical presence to the TPM, can lead to extraction of an Elliptic Curve Diffie-Hellman (ECDH) key.

Published: May 14, 2026
Source: NVD
CVE-2026-45448 MEDIUM - 4.3

CWE-601 URL redirection to untrusted site ('open redirect')

Vendor: ntop
Product: ntopng
Published: May 14, 2026
Source: NVD