Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,743
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,981 - 12,000 of 38,432 CVEs
CVE-2026-45553 HIGH - 7.5

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standar...

Vendor: pip
Product: nicegui
Published: May 18, 2026
Source: GitHub
CVE-2026-45686 HIGH - 7.5

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing mem...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-45685 HIGH - 7.5

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry a...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-45684 MEDIUM - 4.9

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log in...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-45682 MEDIUM - 5.1

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrume...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-47092 HIGH - 7.8

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version ch...

Vendor: jarrodwatts
Product: claude-hud
Published: May 18, 2026
Source: NVD

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a pe...

Vendor: jarrodwatts
Product: claude-hud
Published: May 18, 2026
Source: NVD
CVE-2026-47090 MEDIUM - 4.6

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embe...

Vendor: jarrodwatts
Product: claude-hud
Published: May 18, 2026
Source: NVD
CVE-2026-45246 MEDIUM - 5.5

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the r...

Vendor: steipete
Product: summarize
Published: May 18, 2026
Source: NVD
CVE-2026-45245 HIGH - 7.4

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. ...

Vendor: steipete
Product: summarize
Published: May 18, 2026
Source: NVD
CVE-2026-45244 MEDIUM - 5.4

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke ...

Vendor: steipete
Product: summarize
Published: May 18, 2026
Source: NVD
CVE-2026-21789 MEDIUM - 4.6

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

Vendor: HCLSoftware
Product: Connections
Published: May 18, 2026
Source: NVD

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe reads user-controlled ioctl pointers with bpf_probe_read instead of bpf_probe_read_user. An instrumented local process can therefore point OBI at ker...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-45681 MEDIUM - 5.9

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-45680 MEDIUM - 5.9

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics...

Vendor: go
Product: go.opentelemetry.io/obi
Published: May 18, 2026
Source: GitHub
CVE-2026-8836 CRITICAL - 9.8

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be i...

Published: May 18, 2026
Source: NVD
CVE-2026-45243 MEDIUM - 6.1

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, crea...

Vendor: steipete
Product: summarize
Published: May 18, 2026
Source: NVD
CVE-2026-45242 HIGH - 7.1

Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit thi...

Vendor: steipete
Product: summarize
Published: May 18, 2026
Source: NVD
CVE-2026-45231 MEDIUM - 6.1

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update a...

Vendor: DumbWareio
Product: DumbAssets
Published: May 18, 2026
Source: NVD
CVE-2026-45731 MEDIUM - 4.9

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to r...

Vendor: composer
Product: WWBN/AVideo
Published: May 18, 2026
Source: GitHub