Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,781 - 13,800 of 37,697 CVEs
CVE-2026-8131 HIGH - 7.3

A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public ...

Published: May 08, 2026
Source: NVD
CVE-2026-8130 HIGH - 7.3

A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be us...

Published: May 08, 2026
Source: NVD
CVE-2026-8129 HIGH - 7.3

A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclo...

Published: May 08, 2026
Source: NVD
CVE-2026-44298 MEDIUM - 4.1

Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) ins...

Vendor: kimai
Product: kimai
Published: May 08, 2026
Source: NVD
CVE-2026-43944 CRITICAL - 9.6

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or openin...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD
CVE-2026-43943 HIGH - 7.8

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open wit...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD
CVE-2026-43942 MEDIUM - 5.5

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessi...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD
CVE-2026-43941 CRITICAL - 9.6

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal ...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD
CVE-2026-43940 HIGH - 8.4

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating userโ€‘supplied widget identifiers without any sanitisation. Because runWidget is...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD
CVE-2026-42275 HIGH - 8.7

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a l...

Vendor: openziti
Product: zrok
Published: May 08, 2026
Source: NVD

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can...

Vendor: dadrus
Product: heimdall
Published: May 08, 2026
Source: NVD

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host tha...

Vendor: dadrus
Product: heimdall
Published: May 08, 2026
Source: NVD

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognize...

Vendor: dadrus
Product: heimdall
Published: May 08, 2026
Source: NVD
CVE-2026-42271 HIGH - 8.8

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it โ€” POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list โ€” accepted a full server configuration ...

Vendor: BerriAI
Product: litellm
Published: May 08, 2026
Source: NVD
CVE-2026-42261 HIGH - 7.1

PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to ...

Vendor: legeling
Product: PromptHub
Published: May 08, 2026
Source: NVD
CVE-2026-42208 CRITICAL - 9.8

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthentic...

Vendor: BerriAI
Product: litellm
Published: May 08, 2026
Source: NVD
CVE-2026-42203 HIGH - 8.8

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the Lit...

Vendor: BerriAI
Product: litellm
Published: May 08, 2026
Source: NVD
CVE-2026-42150 MEDIUM - 5.1

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.

Vendor: WeblateOrg
Product: wlc
Published: May 08, 2026
Source: NVD
CVE-2026-41500 CRITICAL - 9.8

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exe...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD
CVE-2026-8128 HIGH - 7.3

A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made publ...

Published: May 08, 2026
Source: NVD