Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,592
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 14,141 - 14,160 of 37,942 CVEs
CVE-2026-7414 CRITICAL - 9.8

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone w...

Vendor: yarbo
Product: lawn_mower_firmware
Published: May 07, 2026
Source: NVD
CVE-2026-7413 HIGH - 7.2

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates.

Vendor: yarbo
Product: lawn_mower_firmware
Published: May 07, 2026
Source: NVD

Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victi...

Vendor: npm
Product: cinny
Published: May 07, 2026
Source: GitHub
CVE-2026-40610 MEDIUM - 5.5

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifac...

Vendor: pip
Product: bentoml
Published: May 07, 2026
Source: GitHub
CVE-2026-7821 HIGH - 7.4

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of th...

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-6973 HIGH - 7.2

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-5788 HIGH - 7.0

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-5787 HIGH - 8.9

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-5786 HIGH - 8.8

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-36388 MEDIUM - 5.4

A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application an...

Published: May 07, 2026
Source: NVD
CVE-2026-36387 MEDIUM - 6.5

A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE.

Published: May 07, 2026
Source: NVD
CVE-2026-36341 MEDIUM - 5.4

Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint

Published: May 07, 2026
Source: NVD
CVE-2025-65122 HIGH - 7.5

Regex Denial of Service in youtube-regex npm package through version 1.0.5.

Published: May 07, 2026
Source: NVD
CVE-2025-63704 CRITICAL - 9.8

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

Published: May 07, 2026
Source: NVD
CVE-2025-63703 CRITICAL - 9.8

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Published: May 07, 2026
Source: NVD
CVE-2025-4397 MEDIUM - 6.8

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

Published: May 07, 2026
Source: NVD
CVE-2025-4386 MEDIUM - 6.8

Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

Published: May 07, 2026
Source: NVD
CVE-2026-42011 HIGH - 7.4

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validati...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat Hardened Images, Red Hat OpenShift Container Platform 4
Published: May 07, 2026
Source: NVD
CVE-2026-41689 MEDIUM - 6.0

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos...

Vendor: ellite
Product: Wallos
Published: May 07, 2026
Source: NVD
CVE-2026-41688 HIGH - 7.7

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS...

Vendor: ellite
Product: Wallos
Published: May 07, 2026
Source: NVD