Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,181 - 14,200 of 38,432 CVEs
CVE-2026-6659 HIGH - 7.5

Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.

Published: May 08, 2026
Source: NVD
CVE-2026-44714 HIGH - 7.5

The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj ve...

Vendor: maven
Product: org.bitcoinj:bitcoinj-core
Published: May 08, 2026
Source: GitHub
CVE-2026-44310 MEDIUM - 5.4

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A CMS/PKCS7 signed message w...

Vendor: go
Product: github.com/sigstore/gitsign
Published: May 08, 2026
Source: GitHub
CVE-2026-42876 MEDIUM - 4.9

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate w...

Vendor: go
Product: github.com/external-secrets/external-secrets/apis
Published: May 08, 2026
Source: GitHub
CVE-2026-44430 MEDIUM - 4.0

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/auth/http) uses safeDialContext (internal/api/handlers/v0/auth/http.go:67-110) to refuse dialling...

Vendor: go
Product: github.com/modelcontextprotocol/registry
Published: May 08, 2026
Source: GitHub
CVE-2026-44429 MEDIUM - 5.4

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published ser...

Vendor: go
Product: github.com/modelcontextprotocol/registry
Published: May 08, 2026
Source: GitHub
CVE-2026-42072 CRITICAL - 9.8

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bo...

Vendor: orneryd
Product: NornicDB
Published: May 08, 2026
Source: NVD
CVE-2026-42030 MEDIUM - 6.1

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The...

Vendor: MapServer
Product: MapServer
Published: May 08, 2026
Source: NVD
CVE-2026-42028 MEDIUM - 5.3

novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1.

Vendor: novafacile
Product: novagallery
Published: May 08, 2026
Source: NVD

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a str...

Vendor: jackc
Product: pgx
Published: May 08, 2026
Source: NVD
CVE-2026-41887 MEDIUM - 4.9

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for ...

Vendor: flarum
Product: framework
Published: May 08, 2026
Source: NVD
CVE-2026-38360 CRITICAL - 9.8

Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components

Published: May 08, 2026
Source: NVD
CVE-2026-44671 HIGH - 7.5

ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This al...

Vendor: go
Product: github.com/zitadel/zitadel
Published: May 08, 2026
Source: GitHub

Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client (active) role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception ...

Vendor: erlang
Product: ex_webrtc
Published: May 08, 2026
Source: GitHub

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher alw...

Vendor: go
Product: github.com/modelcontextprotocol/registry
Published: May 08, 2026
Source: GitHub

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that...

Vendor: go
Product: github.com/modelcontextprotocol/registry
Published: May 08, 2026
Source: GitHub
CVE-2026-44694 HIGH - 9.1

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), ...

Vendor: npm
Product: n8n-mcp
Published: May 08, 2026
Source: GitHub
CVE-2026-44212 CRITICAL - 9.3

PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The pay...

Vendor: composer
Product: prestashop/prestashop
Published: May 08, 2026
Source: GitHub

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all cl...

Vendor: go
Product: github.com/siyuan-note/siyuan/kernel
Published: May 08, 2026
Source: GitHub
CVE-2026-44665 HIGH - 6.1

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability ...

Vendor: npm
Product: fast-xml-builder
Published: May 08, 2026
Source: GitHub