Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,704
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,041 - 14,060 of 37,897 CVEs
CVE-2026-26164 HIGH - 7.5

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-26129 HIGH - 7.5

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-44641 HIGH - 7.1

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but th...

Vendor: pip
Product: apm-cli
Published: May 07, 2026
Source: GitHub
CVE-2026-8098 HIGH - 7.3

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly an...

Published: May 07, 2026
Source: NVD
CVE-2026-8097 MEDIUM - 6.3

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be...

Published: May 07, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-34429. Reason: This candidate is a duplicate of CVE-2026-34429. Notes: All CVE users should reference CVE-2026-34429 instead of this candidate.

Published: May 07, 2026
Source: NVD
CVE-2026-41692 MEDIUM - 4.7

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/loc...

Vendor: i18next
Product: i18nextify
Published: May 07, 2026
Source: NVD
CVE-2026-41691 MEDIUM - 6.5

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template w...

Vendor: i18next
Product: i18next-http-backend
Published: May 07, 2026
Source: NVD
CVE-2026-44523 CRITICAL - 10.0

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: May 07, 2026
Source: GitHub

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored dir...

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: May 07, 2026
Source: GitHub
CVE-2026-44497 CRITICAL - 9.1

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of retur...

Vendor: rust
Product: zebra-script
Published: May 07, 2026
Source: GitHub
CVE-2026-44500 MEDIUM - 5.3

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter prot...

Vendor: rust
Product: zebra-network
Published: May 07, 2026
Source: GitHub
CVE-2026-44498 CRITICAL - 7.5

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a ...

Vendor: rust
Product: zebrad
Published: May 07, 2026
Source: GitHub

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validati...

Vendor: npm
Product: nuxt-og-image
Published: May 07, 2026
Source: GitHub
CVE-2026-8142 MEDIUM - 6.5

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

Published: May 07, 2026
Source: NVD
CVE-2026-8088 LOW - 3.3

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD
CVE-2026-8087 MEDIUM - 5.3

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The expl...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD
CVE-2026-43510 HIGH - 7.6

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.

Vendor: CISA
Product: manage.get.gov
Published: May 07, 2026
Source: NVD
CVE-2026-42501 HIGH - 7.5

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered vers...

Vendor: Go toolchain
Product: cmd/go
Published: May 07, 2026
Source: NVD
CVE-2026-42499 HIGH - 7.5

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Vendor: Go standard library
Product: net/mail
Published: May 07, 2026
Source: NVD