Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,319
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,661 - 13,680 of 42,148 CVEs
CVE-2026-46425 CRITICAL - 9.9

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check....

Vendor: Budibase
Product: budibase
Published: May 27, 2026
Source: NVD
CVE-2026-45081 MEDIUM - 6.5

Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0.

Vendor: frappe
Product: hrms
Published: May 27, 2026
Source: NVD
CVE-2026-44460 HIGH - 7.4

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoin...

Vendor: error311
Product: FileRise
Published: May 27, 2026
Source: NVD
CVE-2026-44378 HIGH - 7.5

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibi...

Vendor: randombit
Product: botan
Published: May 27, 2026
Source: NVD
CVE-2026-38808 MEDIUM - 5.3

SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components

Published: May 27, 2026
Source: NVD
CVE-2026-38807 HIGH - 8.8

Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component

Published: May 27, 2026
Source: NVD
CVE-2025-69600 HIGH - 7.8

Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to execute commands via getconfig, and upload through the URL argument, and oracle through the -o flag The Supplier's perspective is that this is caused by Argument Injection in the find command query in rvia 12.6.4392.4...

Published: May 27, 2026
Source: NVD
CVE-2025-67903 MEDIUM - 5.3

Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.

Published: May 27, 2026
Source: NVD
CVE-2026-45617 HIGH - 7.5

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <scri...

Vendor: npm
Product: liquidjs
Published: May 27, 2026
Source: GitHub

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers that ...

Vendor: composer
Product: getkirby/cms
Published: May 27, 2026
Source: GitHub
CVE-2026-45357 HIGH - 7.5

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad()/padStart(), leading to memory and render...

Vendor: npm
Product: liquidjs
Published: May 27, 2026
Source: GitHub

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions. Kirby's Panel includes a content-locking feature that records which user currently has a...

Vendor: composer
Product: getkirby/cms
Published: May 27, 2026
Source: GitHub
CVE-2026-45260 HIGH - 8.1

Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Vendor: composer
Product: pimcore/pimcore
Published: May 27, 2026
Source: GitHub
CVE-2026-49054 MEDIUM - 4.3

Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Post Grid: from n/a through 7.9.2.

Vendor: Mamunur Rashid
Product: The Post Grid
Published: May 27, 2026
Source: NVD
CVE-2026-48027 CRITICAL - 9.8

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and t...

Vendor: nrwl
Product: nx-console
Published: May 27, 2026
Source: NVD
CVE-2026-45335 MEDIUM - 5.4

WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle. Th...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: May 27, 2026
Source: NVD
CVE-2026-45027 MEDIUM - 5.9

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/Func...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: May 27, 2026
Source: NVD
CVE-2026-42790 HIGH - 8.1

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. pe...

Vendor: Erlang
Product: OTP
Published: May 27, 2026
Source: NVD
CVE-2026-38945 HIGH - 7.8

Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.

Published: May 27, 2026
Source: NVD
CVE-2026-38931 MEDIUM - 5.4

A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.

Published: May 27, 2026
Source: NVD