Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,599
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,061 - 14,080 of 37,942 CVEs

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: May 07, 2026
Source: NVD

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wr...

Vendor: rust
Product: openssl
Published: May 07, 2026
Source: GitHub
CVE-2026-44661 MEDIUM - 4.7

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / l...

Vendor: pip
Product: utcp-http
Published: May 07, 2026
Source: GitHub
CVE-2026-8114 MEDIUM - 6.3

A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit ...

Published: May 07, 2026
Source: NVD
CVE-2026-8113 MEDIUM - 4.3

A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch ...

Vendor: 8421bit
Product: miniclaw
Published: May 07, 2026
Source: NVD
CVE-2026-8112 MEDIUM - 6.3

A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made...

Published: May 07, 2026
Source: NVD
CVE-2026-8106 MEDIUM - 6.1

A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacke...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-8034 CRITICAL - 9.8

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a differen...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are ...

Published: May 07, 2026
Source: NVD
CVE-2026-7541 HIGH - 7.5

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies w...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-6736 MEDIUM - 6.5

An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the a...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-42826 CRITICAL - 10.0

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: azure_devops
Published: May 07, 2026
Source: NVD
CVE-2026-41929 MEDIUM - 6.1

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or ...

Vendor: givanz
Product: Vvveb
Published: May 07, 2026
Source: NVD
CVE-2026-41928 MEDIUM - 5.3

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response...

Vendor: givanz
Product: Vvveb
Published: May 07, 2026
Source: NVD
CVE-2026-41105 HIGH - 8.1

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_monitor_action_group_notification_system
Published: May 07, 2026
Source: NVD
CVE-2026-40214 MEDIUM - 6.3

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi ...

Vendor: OpenStack
Product: Cyborg
Published: May 07, 2026
Source: NVD
CVE-2026-40213 HIGH - 7.4

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments c...

Vendor: OpenStack
Product: Cyborg
Published: May 07, 2026
Source: NVD
CVE-2026-35435 HIGH - 8.6

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_ai_foundry
Published: May 07, 2026
Source: NVD
CVE-2026-35428 CRITICAL - 9.6

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: azure_cloud_shell
Published: May 07, 2026
Source: NVD
CVE-2026-34327 HIGH - 8.2

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: partner_center
Published: May 07, 2026
Source: NVD