Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,646
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 12,881 - 12,900 of 37,942 CVEs
CVE-2026-42074 CRITICAL - 9.8

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can ...

Vendor: npm
Product: openclaude
Published: May 12, 2026
Source: GitHub
CVE-2026-43515 CRITICAL - 9.1

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0....

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD
CVE-2026-43513 HIGH - 7.5

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions m...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD
CVE-2026-43512 CRITICAL - 9.8

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported version...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD
CVE-2026-42498 HIGH - 7.3

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD
CVE-2026-41293 CRITICAL - 9.8

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to u...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD
CVE-2026-41284 HIGH - 7.5

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade t...

Vendor: Apache Software Foundation
Product: Apache Tomcat
Published: May 12, 2026
Source: NVD
CVE-2026-34187 CRITICAL - 9.8

Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-31228 CRITICAL - 9.8

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters w...

Published: May 12, 2026
Source: NVD
CVE-2026-31226 CRITICAL - 9.8

The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without prop...

Published: May 12, 2026
Source: NVD
CVE-2026-31225 HIGH - 8.8

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Altho...

Published: May 12, 2026
Source: NVD
CVE-2026-31224 HIGH - 8.8

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This ...

Vendor: snorkel
Product: snorkel
Published: May 12, 2026
Source: NVD
CVE-2026-31223 HIGH - 8.8

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or se...

Vendor: snorkel
Product: snorkel
Published: May 12, 2026
Source: NVD
CVE-2026-31222 HIGH - 8.8

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior all...

Vendor: snorkel
Product: snorkel
Published: May 12, 2026
Source: NVD
CVE-2026-31221 HIGH - 7.8

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the securi...

Vendor: lightningai
Product: pytorch_lightning
Published: May 12, 2026
Source: NVD
CVE-2026-31220 CRITICAL - 9.8

PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions (via @sy.syft_function()) for remote execution on the server. While...

Published: May 12, 2026
Source: NVD
CVE-2026-31219 HIGH - 8.8

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When a user provides a single model file path (e.g., .pt or .pth) via the --model command-lin...

Published: May 12, 2026
Source: NVD
CVE-2026-31218 HIGH - 8.8

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the functio...

Published: May 12, 2026
Source: NVD
CVE-2026-31217 CRITICAL - 9.8

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file ...

Published: May 12, 2026
Source: NVD