Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,590
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,161 - 14,180 of 37,942 CVEs
CVE-2026-41687 MEDIUM - 4.3

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does ...

Vendor: ellite
Product: Wallos
Published: May 07, 2026
Source: NVD
CVE-2026-41505 HIGH - 8.7

RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.

Vendor: inducer
Product: relate
Published: May 07, 2026
Source: NVD
CVE-2026-36458 CRITICAL - 9.8

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.

Published: May 07, 2026
Source: NVD

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Su...

Vendor: ericmj
Product: decimal
Published: May 07, 2026
Source: NVD
CVE-2025-67202 MEDIUM - 6.1

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

Published: May 07, 2026
Source: NVD
CVE-2025-63706 CRITICAL - 9.8

NPM package next-npm-version1.0.1 is vulnerable to Command injection.

Published: May 07, 2026
Source: NVD
CVE-2025-63705 HIGH - 8.8

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.

Published: May 07, 2026
Source: NVD
CVE-2026-6795 CRITICAL - 9.6

URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

Published: May 07, 2026
Source: NVD
CVE-2026-41589 CRITICAL - 9.6

Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and...

Vendor: charmbracelet
Product: wish
Published: May 07, 2026
Source: NVD
CVE-2026-41554 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2.

Vendor: Bricks
Product: Bricks Builder
Published: May 07, 2026
Source: NVD
CVE-2026-41490 HIGH - 8.3

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic...

Vendor: dagster-io
Product: dagster
Published: May 07, 2026
Source: NVD
CVE-2026-30496 CRITICAL - 9.8

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightn...

Published: May 07, 2026
Source: NVD
CVE-2026-30495 HIGH - 8.8

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su bina...

Published: May 07, 2026
Source: NVD
CVE-2025-14341 HIGH - 8.3

Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3....

Vendor: DivvyDrive Information Technologies Inc.
Product: DivvyDrive
Published: May 07, 2026
Source: NVD
CVE-2026-8094 CRITICAL - 9.8

Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.

Vendor: mozilla
Product: firefox
Published: May 07, 2026
Source: NVD
CVE-2026-8093 HIGH - 7.5

Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2.

Vendor: mozilla
Product: firefox
Published: May 07, 2026
Source: NVD
CVE-2026-8092 HIGH - 8.1

Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 1...

Vendor: mozilla
Product: firefox
Published: May 07, 2026
Source: NVD
CVE-2026-8091 CRITICAL - 9.8

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.

Vendor: mozilla
Product: firefox
Published: May 07, 2026
Source: NVD
CVE-2026-8090 HIGH - 7.3

Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.

Vendor: mozilla
Product: firefox
Published: May 07, 2026
Source: NVD
CVE-2026-6002 HIGH - 8.8

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

Published: May 07, 2026
Source: NVD