Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,765
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,501 - 14,520 of 38,432 CVEs
CVE-2026-42279 MEDIUM - 5.8

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-ent...

Vendor: solidtime-io
Product: solidtime
Published: May 08, 2026
Source: NVD

UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the pr...

Vendor: UltraDAGcom
Product: core
Published: May 08, 2026
Source: NVD
CVE-2026-42277 MEDIUM - 6.5

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the ...

Vendor: onyx-dot-app
Product: onyx
Published: May 08, 2026
Source: NVD
CVE-2026-42276 MEDIUM - 4.3

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the call...

Vendor: onyx-dot-app
Product: onyx
Published: May 08, 2026
Source: NVD
CVE-2023-42346 HIGH - 7.5

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

Published: May 08, 2026
Source: NVD
CVE-2023-42345 MEDIUM - 6.1

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.

Published: May 08, 2026
Source: NVD
CVE-2023-42344 HIGH - 7.3

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

Published: May 08, 2026
Source: NVD
CVE-2023-42343 MEDIUM - 6.1

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type.

Published: May 08, 2026
Source: NVD
CVE-2022-45899 MEDIUM - 6.5

Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field.

Published: May 08, 2026
Source: NVD
CVE-2022-26523 MEDIUM - 5.3

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.

Published: May 08, 2026
Source: NVD
CVE-2022-26522 HIGH - 7.8

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.

Published: May 08, 2026
Source: NVD
CVE-2022-23961 MEDIUM - 6.1

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface.

Published: May 08, 2026
Source: NVD
CVE-2026-8136 LOW - 2.4

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may...

Published: May 08, 2026
Source: NVD
CVE-2026-8133 HIGH - 7.3

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched re...

Published: May 08, 2026
Source: NVD
CVE-2026-8132 HIGH - 7.3

A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be u...

Published: May 08, 2026
Source: NVD
CVE-2026-8131 HIGH - 7.3

A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public ...

Published: May 08, 2026
Source: NVD
CVE-2026-8130 HIGH - 7.3

A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be us...

Published: May 08, 2026
Source: NVD
CVE-2026-8129 HIGH - 7.3

A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclo...

Published: May 08, 2026
Source: NVD
CVE-2026-44298 MEDIUM - 4.1

Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) ins...

Vendor: kimai
Product: kimai
Published: May 08, 2026
Source: NVD
CVE-2026-43944 CRITICAL - 9.6

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or openin...

Vendor: electerm
Product: electerm
Published: May 08, 2026
Source: NVD