Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,659
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,821 - 13,840 of 37,697 CVEs
CVE-2026-8112 MEDIUM - 6.3

A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made...

Published: May 07, 2026
Source: NVD
CVE-2026-8106 MEDIUM - 6.1

A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacke...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-8034 CRITICAL - 9.8

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a differen...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are ...

Published: May 07, 2026
Source: NVD
CVE-2026-7541 HIGH - 7.5

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies w...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-6736 MEDIUM - 6.5

An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the a...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-42826 CRITICAL - 10.0

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: azure_devops
Published: May 07, 2026
Source: NVD
CVE-2026-41929 MEDIUM - 6.1

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or ...

Vendor: givanz
Product: Vvveb
Published: May 07, 2026
Source: NVD
CVE-2026-41928 MEDIUM - 5.3

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response...

Vendor: givanz
Product: Vvveb
Published: May 07, 2026
Source: NVD
CVE-2026-41105 HIGH - 8.1

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_monitor_action_group_notification_system
Published: May 07, 2026
Source: NVD
CVE-2026-40214 MEDIUM - 6.3

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi ...

Vendor: OpenStack
Product: Cyborg
Published: May 07, 2026
Source: NVD
CVE-2026-40213 HIGH - 7.4

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments c...

Vendor: OpenStack
Product: Cyborg
Published: May 07, 2026
Source: NVD
CVE-2026-35435 HIGH - 8.6

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_ai_foundry
Published: May 07, 2026
Source: NVD
CVE-2026-35428 CRITICAL - 9.6

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: azure_cloud_shell
Published: May 07, 2026
Source: NVD
CVE-2026-34327 HIGH - 8.2

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: partner_center
Published: May 07, 2026
Source: NVD
CVE-2026-33844 CRITICAL - 9.0

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_managed_instance_for_apache_cassandra
Published: May 07, 2026
Source: NVD
CVE-2026-33823 CRITICAL - 9.6

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

Vendor: microsoft
Product: teams
Published: May 07, 2026
Source: NVD
CVE-2026-33111 HIGH - 7.5

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-33109 CRITICAL - 9.9

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_managed_instance_for_apache_cassandra
Published: May 07, 2026
Source: NVD
CVE-2026-32207 HIGH - 8.8

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: azure_machine_learning
Published: May 07, 2026
Source: NVD