Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,961 - 11,980 of 38,432 CVEs
CVE-2026-32323 HIGH - 7.3

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is atta...

Vendor: mullvad
Product: mullvadvpn-app
Published: May 19, 2026
Source: NVD
CVE-2026-32312 MEDIUM - 4.3

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

Vendor: glpi-project
Product: glpi
Published: May 19, 2026
Source: NVD
CVE-2026-32244 MEDIUM - 5.3

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3....

Vendor: discourse
Product: discourse
Published: May 19, 2026
Source: NVD
CVE-2026-30950 HIGH - 7.1

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's sessi...

Vendor: Significant-Gravitas
Product: AutoGPT
Published: May 18, 2026
Source: NVD
CVE-2026-27737 MEDIUM - 6.5

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recordi...

Vendor: bigbluebutton, blindsidenetworks
Product: bigbluebutton, scalite, bbb-playback
Published: May 18, 2026
Source: NVD
CVE-2026-8851 HIGH - 8.1

SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inj...

Published: May 18, 2026
Source: NVD
CVE-2026-8838 CRITICAL - 9.8

Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.

Vendor: pip
Product: redshift-connector
Published: May 18, 2026
Source: NVD
CVE-2026-4137 HIGH - 7.0

In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with ...

Published: May 18, 2026
Source: NVD
CVE-2026-27130 CRITICAL - 9.9

Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application ...

Vendor: Dokploy
Product: dokploy
Published: May 18, 2026
Source: NVD

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected fi...

Vendor: FreePBX
Product: security-reporting
Published: May 18, 2026
Source: NVD
CVE-2026-46559 MEDIUM - 4.0

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. This issue has been patched in versions 6....

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-46557 MEDIUM - 6.2

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-23, due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. This issue has been patched in version 7.1.2-23.

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-46523 MEDIUM - 6.2

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-46522 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-46521 MEDIUM - 5.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check. This issue has been patched in versions 6.9.13-48 and 7.1....

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-46520 HIGH - 7.5

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-45664 MEDIUM - 5.3

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. Th...

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-45624 MEDIUM - 5.1

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. This issue has been patched in version...

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: May 18, 2026
Source: GitHub
CVE-2026-45367 HIGH - 7.5

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

Vendor: maven
Product: ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
Published: May 18, 2026
Source: GitHub
CVE-2026-45554 MEDIUM - 5.3

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette&...

Vendor: pip
Product: nicegui
Published: May 18, 2026
Source: GitHub