Total CVEs

143,701

Critical Severity

4,088

High Severity

14,745

Last 7 Days

1,536
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,781 - 12,800 of 40,106 CVEs
CVE-2026-46716 CRITICAL - 9.9

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboa...

Vendor: go
Product: github.com/nezhahq/nezha
Published: May 23, 2026
Source: GitHub
CVE-2026-47125 HIGH - 8.8

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin a...

Vendor: go
Product: github.com/getarcaneapp/arcane/backend
Published: May 23, 2026
Source: GitHub
CVE-2026-47157 MEDIUM - 6.5

aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example...

Vendor: pip
Product: aiograpi
Published: May 23, 2026
Source: GitHub

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adv...

Vendor: npm
Product: parse-server
Published: May 23, 2026
Source: GitHub
CVE-2026-47120 MEDIUM - 5.4

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check). This issue has been patched in version 2.0.8.

Vendor: go
Product: github.com/nezhahq/nezha
Published: May 23, 2026
Source: GitHub
CVE-2026-46717 HIGH - 8.5

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /a...

Vendor: go
Product: github.com/nezhahq/nezha
Published: May 23, 2026
Source: GitHub
CVE-2026-47280 CRITICAL - 10.0

Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_resource_manager
Published: May 22, 2026
Source: NVD
CVE-2026-45659 HIGH - 8.8

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: sharepoint_server
Published: May 22, 2026
Source: NVD
CVE-2026-42901 CRITICAL - 10.0

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: entra_id
Published: May 22, 2026
Source: NVD
CVE-2026-42827 MEDIUM - 6.5

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot
Published: May 22, 2026
Source: NVD
CVE-2026-41104 CRITICAL - 10.0

Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: planetary_computer
Published: May 22, 2026
Source: NVD
CVE-2026-41090 CRITICAL - 9.3

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

Vendor: microsoft
Product: 365_copilot
Published: May 22, 2026
Source: NVD
CVE-2026-40412 CRITICAL - 10.0

Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_orbital_spatio
Published: May 22, 2026
Source: NVD
CVE-2026-40411 CRITICAL - 9.9

Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_virtual_network_gateway
Published: May 22, 2026
Source: NVD
CVE-2026-35430 HIGH - 8.8

Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_privileged_identity_management
Published: May 22, 2026
Source: NVD
CVE-2026-33843 CRITICAL - 9.1

Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: entra_id
Published: May 22, 2026
Source: NVD
CVE-2026-26147 HIGH - 7.7

Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.

Vendor: microsoft
Product: azure_stack_hci
Published: May 22, 2026
Source: NVD
CVE-2026-23663 HIGH - 7.5

Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: global_secure_access
Published: May 22, 2026
Source: NVD
CVE-2026-23652 CRITICAL - 10.0

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

Vendor: microsoft
Product: power_pages
Published: May 22, 2026
Source: NVD
CVE-2026-41076 HIGH - 8.1

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may ...

Published: May 22, 2026
Source: NVD