Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,619
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,521 - 12,540 of 37,942 CVEs

An untrusted pointer dereference in the ionic cloud driver for VMWare ESXi could allow an attacker with an unprivileged VM to read kernel memory or co-located guest VM memory, potentially resulting in loss of confidentiality or availability.

Vendor: AMD
Product: ESXi 8.x and ESXi 9.x hosts using AMD-Pensando DPU products
Published: May 13, 2026
Source: NVD

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

Vendor: AMD
Product: ESXi 8.x and ESXi 9.x hosts using AMD-Pensando DPU products
Published: May 13, 2026
Source: NVD

A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

Vendor: AMD
Product: ESXi 8.x and ESXi 9.x hosts using AMD-Pensando DPU products
Published: May 13, 2026
Source: NVD

Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to gain arbitrary System Management Network (SMN) access, potentially resulting in arbitrary code execution in AMD Secure Processor (ASP) and loss of the SEV-SNP guest's confidentiality and integrity.

Published: May 13, 2026
Source: NVD

Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to modify MMIO routing configurations, potentially resulting in loss of SEV-SNP guest integrity.

Published: May 13, 2026
Source: NVD

Improper enforcement of the LFENCE serialization property may allow an attacker to bypass speculation barriers and potentially disclose sensitive information, potentially resulting in loss of confidentiality.

Published: May 13, 2026
Source: NVD

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4.

Vendor: npm
Product: openlearnx
Published: May 13, 2026
Source: GitHub

Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encryp...

Vendor: npm
Product: astro
Published: May 13, 2026
Source: GitHub
CVE-2026-44697 HIGH - 8.6

Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on t...

Vendor: go
Product: github.com/klever-io/klever-go
Published: May 13, 2026
Source: GitHub
CVE-2026-44681 MEDIUM - 6.1

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an a...

Vendor: pip
Product: authlib
Published: May 13, 2026
Source: GitHub

mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33...

Vendor: maven
Product: org.mapfish.print:print-lib
Published: May 13, 2026
Source: GitHub
CVE-2026-8108 HIGH - 7.8

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

Published: May 12, 2026
Source: NVD
CVE-2026-5371 HIGH - 7.1

The MonsterInsights โ€“ Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and inc...

Published: May 12, 2026
Source: NVD
CVE-2026-44548 HIGH - 8.1

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including...

Vendor: ChurchCRM
Product: CRM
Published: May 12, 2026
Source: NVD
CVE-2026-44547 CRITICAL - 9.6

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release there...

Vendor: ChurchCRM
Product: CRM
Published: May 12, 2026
Source: NVD

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3.

Vendor: reconurge
Product: flowsint
Published: May 12, 2026
Source: NVD
CVE-2026-44347 MEDIUM - 5.8

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on...

Vendor: warp-tech
Product: warpgate
Published: May 12, 2026
Source: NVD
CVE-2026-44341 MEDIUM - 5.3

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to ...

Vendor: karnop
Product: gojobs
Published: May 12, 2026
Source: NVD
CVE-2026-43685 HIGH - 7.2

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.

Vendor: Claris
Product: FileMaker Cloud
Published: May 12, 2026
Source: NVD
CVE-2026-43680 HIGH - 7.2

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.

Vendor: Claris
Product: FileMaker Cloud
Published: May 12, 2026
Source: NVD