Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,750
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,981 - 14,000 of 38,670 CVEs
CVE-2026-44992 MEDIUM - 5.0

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

Vendor: OpenClaw
Product: OpenClaw
Published: May 11, 2026
Source: NVD
CVE-2026-44991 MEDIUM - 4.2

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands li...

Vendor: OpenClaw
Product: OpenClaw
Published: May 11, 2026
Source: NVD
CVE-2026-44777 MEDIUM - 5.5

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

Vendor: jqlang
Product: jq
Published: May 11, 2026
Source: NVD
CVE-2026-44659 MEDIUM - 4.7

Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdom...

Vendor: zen-browser
Product: desktop
Published: May 11, 2026
Source: NVD

Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and da...

Vendor: zen-browser
Product: desktop
Published: May 11, 2026
Source: NVD
CVE-2026-44413 HIGH - 8.2

In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access

Vendor: JetBrains
Product: TeamCity
Published: May 11, 2026
Source: NVD

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (...

Vendor: FlowiseAI
Product: Flowise
Published: May 11, 2026
Source: NVD
CVE-2026-43896 MEDIUM - 6.2

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

Vendor: jqlang
Product: jq
Published: May 11, 2026
Source: NVD
CVE-2026-43895 MEDIUM - 4.4

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or a...

Vendor: jqlang
Product: jq
Published: May 11, 2026
Source: NVD
CVE-2026-43894 MEDIUM - 6.2

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-...

Vendor: jqlang
Product: jq
Published: May 11, 2026
Source: NVD
CVE-2026-43640 HIGH - 8.1

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

Vendor: bitwarden
Product: server
Published: May 11, 2026
Source: NVD
CVE-2026-43639 HIGH - 8.0

Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations a...

Vendor: bitwarden
Product: server
Published: May 11, 2026
Source: NVD
CVE-2026-43638 MEDIUM - 5.4

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side permission check to b...

Vendor: bitwarden
Product: server
Published: May 11, 2026
Source: NVD

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerabil...

Vendor: elie222
Product: inbox-zero
Published: May 11, 2026
Source: NVD

Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-25...

Vendor: any1
Product: neatvnc
Published: May 11, 2026
Source: NVD
CVE-2026-42858 HIGH - 8.5

Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed directly to requests.get() i...

Vendor: openedx
Product: openedx-platform
Published: May 11, 2026
Source: NVD
CVE-2026-42857 MEDIUM - 4.6

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe ...

Vendor: openedx
Product: openedx-platform
Published: May 11, 2026
Source: NVD
CVE-2026-42316 MEDIUM - 6.5

kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping e...

Vendor: Azure
Product: kafka-sink-azure-kusto
Published: May 11, 2026
Source: NVD
CVE-2026-41431 HIGH - 8.0

Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signature...

Vendor: zen-browser
Product: desktop
Published: May 11, 2026
Source: NVD
CVE-2026-41257 MEDIUM - 5.5

jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond โ‰ˆ1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used ...

Vendor: jqlang
Product: jq
Published: May 11, 2026
Source: NVD