Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,201 - 14,220 of 38,432 CVEs
CVE-2026-44664 MEDIUM - 6.1

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XM...

Vendor: npm
Product: fast-xml-builder
Published: May 08, 2026
Source: GitHub
CVE-2026-44009 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.

Vendor: npm
Product: vm2
Published: May 08, 2026
Source: GitHub

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent...

Vendor: ZcashFoundation
Product: zebra
Published: May 08, 2026
Source: NVD

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one call...

Vendor: absinthe-graphql
Product: absinthe
Published: May 08, 2026
Source: NVD

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlin...

Vendor: absinthe-graphql
Product: absinthe_plug
Published: May 08, 2026
Source: NVD

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules...

Vendor: absinthe-graphql
Product: absinthe
Published: May 08, 2026
Source: NVD
CVE-2026-41886 HIGH - 7.5

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", โ€ฆ) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize,...

Vendor: locize
Product: locize
Published: May 08, 2026
Source: NVD
CVE-2026-41885 MEDIUM - 6.5

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLan...

Vendor: locize
Product: i18next-locize-backend
Published: May 08, 2026
Source: NVD
CVE-2026-41883 HIGH - 8.1

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example...

Vendor: omnifaces
Product: omnifaces
Published: May 08, 2026
Source: NVD
CVE-2026-41693 HIGH - 8.2

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file f...

Vendor: i18next
Product: i18next-fs-backend
Published: May 08, 2026
Source: NVD
CVE-2026-41690 HIGH - 8.6

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach...

Vendor: i18next
Product: i18next-http-middleware
Published: May 08, 2026
Source: NVD
CVE-2026-34354 HIGH - 7.4

Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the Handl...

Vendor: Akamai
Product: Guardicore Platform Agent, Zero Trust Client
Published: May 08, 2026
Source: NVD
CVE-2026-29975 HIGH - 7.5

lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causin...

Published: May 08, 2026
Source: NVD
CVE-2026-29974 HIGH - 7.5

An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan on untrusted input are vulnerable to a stack buffer overflow.

Published: May 08, 2026
Source: NVD
CVE-2026-29972 HIGH - 8.2

nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response&#...

Published: May 08, 2026
Source: NVD
CVE-2026-44008 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and...

Vendor: npm
Product: vm2
Published: May 08, 2026
Source: GitHub
CVE-2026-40295 MEDIUM - 6.1

Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer โ€” the HTTP Referer header, which is attacker-controllable โ€” without validation for any non-GET re...

Vendor: rubygems
Product: devise
Published: May 08, 2026
Source: GitHub

In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ ...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: fs: init flags_valid before calling vfs_fileattr_get syzbot reported a uninit-value bug in [1]. Similar to the "*get" context where the kernel's internal file_kattr structure is initialized before calling vfs_filea...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation o...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD