Total CVEs

145,712

Critical Severity

4,267

High Severity

15,730

Last 7 Days

2,294
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,601 - 13,620 of 42,117 CVEs
CVE-2026-42197 HIGH - 8.7

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin ...

Vendor: inducer
Product: relate
Published: May 27, 2026
Source: NVD

Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control.

Published: May 27, 2026
Source: NVD
CVE-2026-45066 MEDIUM - 6.1

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 398...

Vendor: composer
Product: symfony/html-sanitizer
Published: May 27, 2026
Source: GitHub
CVE-2026-45064 MEDIUM - 6.1

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized c...

Vendor: composer
Product: symfony/html-sanitizer
Published: May 27, 2026
Source: GitHub
CVE-2026-44982 HIGH - 7.2

CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from max(r.ContentLength, 0), so HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests without a content-length he...

Vendor: go
Product: github.com/crowdsecurity/crowdsec
Published: May 27, 2026
Source: GitHub

CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed JSO...

Vendor: go
Product: github.com/crowdsecurity/crowdsec
Published: May 27, 2026
Source: GitHub
CVE-2026-44726 HIGH - 7.4

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attemp...

Vendor: rust
Product: deno
Published: May 27, 2026
Source: GitHub
CVE-2026-25879 CRITICAL - 9.8

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e....

Vendor: pip
Product: langroid
Published: May 27, 2026
Source: GitHub
CVE-2026-8716 MEDIUM - 4.3

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.

Vendor: gitlab
Product: gitlab
Published: May 27, 2026
Source: NVD
CVE-2026-6713 MEDIUM - 5.3

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.

Vendor: gitlab
Product: gitlab
Published: May 27, 2026
Source: NVD
CVE-2026-5296 MEDIUM - 4.3

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions...

Vendor: gitlab
Product: gitlab
Published: May 27, 2026
Source: NVD
CVE-2026-4868 HIGH - 8.2

GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to impro...

Vendor: gitlab
Product: gitlab
Published: May 27, 2026
Source: NVD
CVE-2026-2601 MEDIUM - 4.3

GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to impr...

Vendor: gitlab
Product: gitlab
Published: May 27, 2026
Source: NVD
CVE-2026-1402 MEDIUM - 6.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.

Vendor: gitlab
Product: gitlab
Published: May 27, 2026
Source: NVD
CVE-2026-45618 CRITICAL - 10.0

LiquidJS is Vulnerable to Remote Code Execution

Vendor: npm
Product: liquidjs
Published: May 27, 2026
Source: GitHub
CVE-2026-5509 HIGH - 7.2

An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s...

Vendor: tp-link
Product: archer_be450_firmware
Published: May 27, 2026
Source: NVD
CVE-2026-4392 MEDIUM - 5.3

A vulnerability was detected in TeamSpeak 3 Server up to 3.13.7. This issue affects some unknown processing of the component clientek Handshake Handler. Performing a manipulation of the argument proof results in reachable assertion. Remote exploitation of the attack is possible. Upgrading to version...

Published: May 27, 2026
Source: NVD
CVE-2026-4391 MEDIUM - 5.3

A security vulnerability has been detected in TeamSpeak 3 Server up to 3.13.7. This vulnerability affects unknown code of the component ECC Key Parser. Such manipulation leads to heap-based buffer overflow. The attack may be launched remotely. Upgrading to version 3.13.8 is able to resolve this issu...

Published: May 27, 2026
Source: NVD
CVE-2026-4390 MEDIUM - 5.4

A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects the function process_resend_queue of the component Connection State Management. This manipulation causes use after free. The attack may be initiated remotely. Upgrading to version 3.13.8 is able to mitigate this issue. T...

Published: May 27, 2026
Source: NVD
CVE-2026-48153 HIGH - 8.5

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no sch...

Vendor: Budibase
Product: budibase
Published: May 27, 2026
Source: NVD