Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,943
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,401 - 14,420 of 41,119 CVEs
CVE-2026-8495 CRITICAL - 9.8

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

Published: May 19, 2026
Source: NVD
CVE-2026-8493 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.

Published: May 19, 2026
Source: NVD
CVE-2026-8492 LOW - 2.7

Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.

Published: May 19, 2026
Source: NVD
CVE-2026-8491 LOW - 3.7

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.

Published: May 19, 2026
Source: NVD
CVE-2026-6871 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2.

Vendor: obfuscate_project
Product: obfuscate
Published: May 19, 2026
Source: NVD
CVE-2026-6367 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

Vendor: drupal
Product: drupal
Published: May 19, 2026
Source: NVD
CVE-2026-6366 MEDIUM - 6.6

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

Vendor: drupal
Product: drupal
Published: May 19, 2026
Source: NVD
CVE-2026-6365 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 1...

Vendor: drupal
Product: drupal
Published: May 19, 2026
Source: NVD
CVE-2026-6095 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16.

Vendor: gaya
Product: orejime
Published: May 19, 2026
Source: NVD
CVE-2026-34600 MEDIUM - 5.7

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior pa...

Vendor: laurent22
Product: joplin
Published: May 19, 2026
Source: NVD
CVE-2026-5090 MEDIUM - 6.1

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' t...

Published: May 19, 2026
Source: NVD
CVE-2026-34358 HIGH - 8.1

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any auth...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD
CVE-2026-34246 MEDIUM - 4.8

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and ...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD
CVE-2026-34241 HIGH - 8.7

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD
CVE-2026-34234 CRITICAL - 10.0

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler f...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD
CVE-2025-15645 MEDIUM - 4.6

Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-control...

Vendor: Ledger
Product: Ledger Nano X, Ledger Flex, Ledger Stax
Published: May 19, 2026
Source: NVD

Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memory Segment (TSEG) memory region, potentially resulting in loss of confidentiality or integrity.

Published: May 19, 2026
Source: NVD
CVE-2023-7345 MEDIUM - 6.5

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtai...

Published: May 19, 2026
Source: NVD
CVE-2026-39250 HIGH - 7.3

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.

Published: May 19, 2026
Source: NVD
CVE-2026-34233 MEDIUM - 6.5

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. ...

Vendor: Ctrlpanel-gg
Product: panel
Published: May 19, 2026
Source: NVD