Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,899
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 14,341 - 14,360 of 38,432 CVEs
CVE-2026-43352 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. Th...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2026-43351 MEDIUM - 5.5

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Eagerly init vgic dist/redist on vgic creation If vgic_allocate_private_irqs_locked() fails for any odd reason, we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised. kvm_vgic_dist_destroy() then ...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2026-41588 CRITICAL - 9.0

RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py β€” check_sign_in_key(). This issue has been patched via commit 2f68e16.

Vendor: inducer
Product: relate
Published: May 08, 2026
Source: NVD
CVE-2026-41585 MEDIUM - 6.5

ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the...

Vendor: zfnd
Product: zebra-rpc
Published: May 08, 2026
Source: NVD
CVE-2026-41584 HIGH - 7.5

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "ze...

Vendor: zfnd
Product: zebra-chain
Published: May 08, 2026
Source: NVD
CVE-2026-41583 CRITICAL - 9.1

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network up...

Vendor: zfnd
Product: zebra-script
Published: May 08, 2026
Source: NVD
CVE-2026-41576 HIGH - 7.1

Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then ...

Vendor: Ajax30
Product: BraveCMS-2.0
Published: May 08, 2026
Source: NVD
CVE-2026-41575 MEDIUM - 6.1

In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing attackers to execute arbitrary JavaScript. This issue has been ...

Vendor: th30d4y
Product: IP
Published: May 08, 2026
Source: NVD
CVE-2026-41574 CRITICAL - 9.8

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trus...

Vendor: nhost
Product: nhost
Published: May 08, 2026
Source: NVD
CVE-2026-41570 HIGH - 7.8

PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a s...

Vendor: sebastianbergmann
Product: phpunit
Published: May 08, 2026
Source: NVD
CVE-2026-41524 HIGH - 8.7

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an edito...

Vendor: Ajax30
Product: BraveCMS-2.0
Published: May 08, 2026
Source: NVD
CVE-2026-41487 MEDIUM - 5.4

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role β€œmember” in a project could request the update of an existi...

Vendor: langfuse
Product: langfuse
Published: May 08, 2026
Source: NVD
CVE-2026-41308 MEDIUM - 6.5

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This c...

Vendor: pglombardo
Product: PasswordPusher
Published: May 08, 2026
Source: NVD
CVE-2026-38361 HIGH - 7.5

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components

Vendor: fohrloop
Product: dash-uploader
Published: May 08, 2026
Source: NVD
CVE-2026-37431 CRITICAL - 9.8

Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

Published: May 08, 2026
Source: NVD
CVE-2025-67486 HIGH - 7.2

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" fi...

Vendor: Dolibarr
Product: dolibarr
Published: May 08, 2026
Source: NVD

SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information.

Published: May 08, 2026
Source: NVD
CVE-2026-44340 HIGH - 7.5

PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape β€” but does not validate member...

Vendor: MervinPraison
Product: PraisonAI
Published: May 08, 2026
Source: NVD
CVE-2026-44339 HIGH - 8.6

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _pe...

Vendor: MervinPraison
Product: PraisonAI
Published: May 08, 2026
Source: NVD
CVE-2026-44338 HIGH - 7.3

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /...

Vendor: MervinPraison
Product: PraisonAI
Published: May 08, 2026
Source: NVD