Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,585
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 14,201 - 14,220 of 37,942 CVEs
CVE-2025-66105 MEDIUM - 5.3

Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8.

Vendor: Magepeople inc.
Product: Bus Ticket Booking with Seat Reservation
Published: May 07, 2026
Source: NVD
CVE-2025-62127 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a through 3.4.0.

Vendor: WEN Themes
Product: WEN Logo Slider
Published: May 07, 2026
Source: NVD
CVE-2025-2514 MEDIUM - 5.3

Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Bl...

Vendor: hitachi
Product: virtual_storage_one_block
Published: May 07, 2026
Source: NVD
CVE-2025-1978 HIGH - 8.3

Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual St...

Vendor: hitachi
Product: virtual_storage_one_block
Published: May 07, 2026
Source: NVD
CVE-2024-43384 HIGH - 8.0

A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer.

Vendor: phoenixcontact
Product: fl_mguard_2102_firmware
Published: May 07, 2026
Source: NVD
CVE-2026-4430 HIGH - 7.8

Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters. This issue affects LibreOffice: from 26.2 before 26.2.3, from 25.8 before 25.8.7.

Vendor: libreoffice
Product: libreoffice
Published: May 07, 2026
Source: NVD
CVE-2026-44406 MEDIUM - 5.7

ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServic...

Vendor: ZTE
Product: ZXCLOUD iRAI
Published: May 07, 2026
Source: NVD
CVE-2025-9661 HIGH - 8.1

OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.

Vendor: hitachi
Product: virtual_storage_one_block
Published: May 07, 2026
Source: NVD
CVE-2026-8063 MEDIUM - 6.5

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads th...

Vendor: mongodb
Product: mongodb
Published: May 07, 2026
Source: NVD
CVE-2026-7252 HIGH - 8.1

The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, ...

Published: May 07, 2026
Source: NVD
CVE-2026-6692 HIGH - 8.8

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subsc...

Published: May 07, 2026
Source: NVD
CVE-2026-4348 HIGH - 7.5

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being pass...

Published: May 07, 2026
Source: NVD
CVE-2026-41413 MEDIUM - 5.0

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost o...

Vendor: istio
Product: istio
Published: May 07, 2026
Source: NVD
CVE-2026-41143 HIGH - 8.8

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL...

Vendor: YesWiki
Product: yeswiki
Published: May 07, 2026
Source: NVD
CVE-2026-41139 HIGH - 8.8

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

Vendor: josdejong
Product: mathjs
Published: May 07, 2026
Source: NVD
CVE-2026-44513 HIGH - 8.8

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three va...

Vendor: pip
Product: diffusers
Published: May 07, 2026
Source: GitHub
CVE-2026-44248 MEDIUM - 5.3

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the by...

Vendor: maven
Product: io.netty:netty-codec-mqtt
Published: May 07, 2026
Source: GitHub
CVE-2026-44007 CRITICAL - 9.1

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new i...

Vendor: npm
Product: vm2
Published: May 07, 2026
Source: GitHub
CVE-2026-43998 HIGH - 8.5

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not...

Vendor: npm
Product: vm2
Published: May 07, 2026
Source: GitHub
CVE-2026-44003 MEDIUM - 5.3

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_...

Vendor: npm
Product: vm2
Published: May 07, 2026
Source: GitHub