Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 12,921 - 12,940 of 37,942 CVEs
CVE-2026-5061 MEDIUM - 4.7

The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.

Published: May 12, 2026
Source: NVD
CVE-2026-43983 HIGH - 8.1

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization s...

Vendor: pocket-id
Product: pocket-id
Published: May 12, 2026
Source: NVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection. The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'E...

Vendor: elixir-ecto
Product: postgrex
Published: May 12, 2026
Source: NVD
CVE-2025-70842 MEDIUM - 5.4

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who access...

Published: May 12, 2026
Source: NVD
CVE-2026-45090 HIGH - 7.5

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (clos...

Vendor: go
Product: github.com/hahwul/dalfox/v2
Published: May 12, 2026
Source: GitHub
CVE-2026-45089 HIGH - 8.2

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unch...

Vendor: go
Product: github.com/hahwul/dalfox/v2
Published: May 12, 2026
Source: GitHub
CVE-2026-45088 HIGH - 7.5

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged throug...

Vendor: go
Product: github.com/hahwul/dalfox/v2
Published: May 12, 2026
Source: GitHub
CVE-2026-45087 CRITICAL - 10.0

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options ...

Vendor: go
Product: github.com/hahwul/dalfox/v2
Published: May 12, 2026
Source: GitHub
CVE-2026-44295 HIGH - 8.7

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service...

Vendor: npm
Product: protobufjs-cli
Published: May 12, 2026
Source: GitHub
CVE-2026-44294 MEDIUM - 5.3

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-44293 HIGH - 8.8

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default val...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-44292 MEDIUM - 5.3

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-co...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-44291 HIGH - 8.1

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-44290 HIGH - 7.5

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write ...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-44289 HIGH - 7.5

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf ...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-44288 MEDIUM - 5.3

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf bi...

Vendor: npm
Product: protobufjs
Published: May 12, 2026
Source: GitHub
CVE-2026-42290 HIGH - 7.8

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead...

Vendor: npm
Product: protobufjs-cli
Published: May 12, 2026
Source: GitHub
CVE-2026-8391 MEDIUM - 5.3

Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Vendor: mozilla
Product: firefox
Published: May 12, 2026
Source: NVD
CVE-2026-8390 HIGH - 7.3

Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.

Vendor: mozilla
Product: firefox
Published: May 12, 2026
Source: NVD
CVE-2026-8389 HIGH - 7.3

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.

Vendor: mozilla
Product: firefox
Published: May 12, 2026
Source: NVD