Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,531
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1,341 - 1,360 of 1,593 CVEs
CVE-2026-2858 LOW - 3.3

A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. Such manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and migh...

Vendor: wren
Product: wren
Published: Feb 20, 2026
Source: NVD

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and t...

Vendor: npm
Product: openclaw
Published: Feb 20, 2026
Source: GitHub

A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be us...

Vendor: detronetdip
Product: E-commerce
Published: Feb 20, 2026
Source: NVD

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory.

Vendor: EnOcean Edge Inc
Product: SmartServer IoT
Published: Feb 20, 2026
Source: NVD

HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.

Vendor: hcltech
Product: connections
Published: Feb 20, 2026
Source: NVD
CVE-2026-2825 LOW - 3.5

A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the p...

Published: Feb 20, 2026
Source: NVD

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_se...

Vendor: windmill-labs
Product: windmill
Published: Feb 20, 2026
Source: NVD

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate shoul...

Vendor: sigstore
Product: cosign
Published: Feb 19, 2026
Source: NVD

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache t...

Vendor: pip
Product: flask
Published: Feb 19, 2026
Source: GitHub

Missing Authorization vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real 3D FlipBook: from n/a through <= 4.16.4.

Vendor: creativeinteractivemedia
Product: Real 3D FlipBook
Published: Feb 19, 2026
Source: NVD
CVE-2026-2733 LOW - 3.8

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client โ€œEnabledโ€ setting to OFF does not fully prevent access. As a result, previously va...

Vendor: maven
Product: org.keycloak:keycloak-services
Published: Feb 19, 2026
Source: NVD
CVE-2026-2709 LOW - 3.5

A flaw has been found in busy up to 2.5.5. The affected element is an unknown function of the file source-code/busy-master/src/server/app.js of the component Callback Handler. Executing a manipulation of the argument state can lead to open redirect. It is possible to launch the attack remotely. The ...

Published: Feb 19, 2026
Source: NVD
CVE-2026-2703 LOW - 3.3

A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. Th...

Published: Feb 19, 2026
Source: NVD
CVE-2026-2702 LOW - 3.1

A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attac...

Published: Feb 19, 2026
Source: NVD

The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for...

Vendor: walterpinem
Product: OneClick Chat to Order
Published: Feb 19, 2026
Source: NVD

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult i...

Vendor: go
Product: filippo.io/edwards25519
Published: Feb 18, 2026
Source: GitHub

Rejected reason: Further research determined the issue is an external dependency vulnerability.

Vendor: go
Product: github.com/refraction-networking/utls
Published: Feb 18, 2026
Source: GitHub

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cip...

Vendor: go
Product: github.com/refraction-networking/utls
Published: Feb 18, 2026
Source: GitHub
CVE-2025-8860 LOW - 3.3

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocation...

Published: Feb 18, 2026
Source: NVD

A flaw was found in FFmpegโ€™s TensorFlow backend within the libavfilter/dnn_backend_tf.c source file. The issue occurs in the dnn_execute_model_tf() function, where a task object is freed multiple times in certain error-handling paths. This redundant memory deallocation can lead to a double-free cond...

Published: Feb 18, 2026
Source: NVD