Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,598
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,081 - 14,100 of 37,942 CVEs
CVE-2026-33844 CRITICAL - 9.0

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_managed_instance_for_apache_cassandra
Published: May 07, 2026
Source: NVD
CVE-2026-33823 CRITICAL - 9.6

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

Vendor: microsoft
Product: teams
Published: May 07, 2026
Source: NVD
CVE-2026-33111 HIGH - 7.5

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-33109 CRITICAL - 9.9

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_managed_instance_for_apache_cassandra
Published: May 07, 2026
Source: NVD
CVE-2026-32207 HIGH - 8.8

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: azure_machine_learning
Published: May 07, 2026
Source: NVD
CVE-2026-26164 HIGH - 7.5

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-26129 HIGH - 7.5

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-44641 HIGH - 7.1

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but th...

Vendor: pip
Product: apm-cli
Published: May 07, 2026
Source: GitHub
CVE-2026-8098 HIGH - 7.3

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly an...

Published: May 07, 2026
Source: NVD
CVE-2026-8097 MEDIUM - 6.3

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be...

Published: May 07, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-34429. Reason: This candidate is a duplicate of CVE-2026-34429. Notes: All CVE users should reference CVE-2026-34429 instead of this candidate.

Published: May 07, 2026
Source: NVD
CVE-2026-41692 MEDIUM - 4.7

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/loc...

Vendor: i18next
Product: i18nextify
Published: May 07, 2026
Source: NVD
CVE-2026-41691 MEDIUM - 6.5

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template w...

Vendor: i18next
Product: i18next-http-backend
Published: May 07, 2026
Source: NVD
CVE-2026-44523 CRITICAL - 10.0

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: May 07, 2026
Source: GitHub

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored dir...

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: May 07, 2026
Source: GitHub
CVE-2026-44497 CRITICAL - 9.1

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of retur...

Vendor: rust
Product: zebra-script
Published: May 07, 2026
Source: GitHub
CVE-2026-44500 MEDIUM - 5.3

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter prot...

Vendor: rust
Product: zebra-network
Published: May 07, 2026
Source: GitHub
CVE-2026-44498 CRITICAL - 7.5

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a ...

Vendor: rust
Product: zebrad
Published: May 07, 2026
Source: GitHub

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validati...

Vendor: npm
Product: nuxt-og-image
Published: May 07, 2026
Source: GitHub
CVE-2026-8142 MEDIUM - 6.5

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

Published: May 07, 2026
Source: NVD