Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,619
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,321 - 14,340 of 37,942 CVEs
CVE-2026-42555 CRITICAL - 9.1

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions fr...

Vendor: maven
Product: com.ritense.valtimo:document
Published: May 06, 2026
Source: GitHub
CVE-2026-42552 HIGH - 7.5

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak...

Vendor: composer
Product: flightphp/core
Published: May 06, 2026
Source: GitHub
CVE-2026-42551 HIGH - 7.5

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target me...

Vendor: composer
Product: flightphp/core
Published: May 06, 2026
Source: GitHub
CVE-2026-42550 HIGH - 8.8

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

Vendor: composer
Product: flightphp/core
Published: May 06, 2026
Source: GitHub
CVE-2026-42549 MEDIUM - 4.4

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the nam...

Vendor: composer
Product: flightphp/core
Published: May 06, 2026
Source: GitHub

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that execut...

Vendor: composer
Product: flightphp/core
Published: May 06, 2026
Source: GitHub
CVE-2026-42545 MEDIUM - 5.9

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malforme...

Vendor: pip
Product: granian
Published: May 06, 2026
Source: GitHub
CVE-2026-42544 HIGH - 7.5

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction ...

Vendor: pip
Product: granian
Published: May 06, 2026
Source: GitHub
CVE-2026-42844 HIGH - 8.8

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full admin...

Vendor: composer
Product: getgrav/grav
Published: May 06, 2026
Source: GitHub

Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application treats these values a...

Vendor: MasaCMS
Product: MasaCMS
Published: May 06, 2026
Source: NVD

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could a...

Vendor: go
Product: github.com/gohugoio/hugo
Published: May 06, 2026
Source: GitHub

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, there is a reflected XSS vulnerability under admin panel -> System -> Import/Ex...

Vendor: composer
Product: openmage/magento-lts
Published: May 06, 2026
Source: GitHub
CVE-2026-44306 MEDIUM - 5.3

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up...

Vendor: composer
Product: statamic/cms
Published: May 06, 2026
Source: GitHub
CVE-2026-44302 HIGH - 7.5

Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. This vulnerability is fixed in 1.3.1.

Vendor: nuget
Product: Snappier
Published: May 06, 2026
Source: GitHub

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is f...

Vendor: pip
Product: magic-wormhole
Published: May 06, 2026
Source: GitHub
CVE-2026-8033 MEDIUM - 5.3

A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has b...

Published: May 06, 2026
Source: NVD
CVE-2026-8032 HIGH - 7.3

A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out remotely. The exploit has b...

Published: May 06, 2026
Source: NVD
CVE-2026-44118 HIGH - 7.8

OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-44117 MEDIUM - 5.8

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-44116 HIGH - 8.6

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthor...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD