Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,755
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,561 - 14,580 of 38,432 CVEs
CVE-2026-6736 MEDIUM - 6.5

An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the a...

Vendor: github
Product: enterprise_server
Published: May 07, 2026
Source: NVD
CVE-2026-42826 CRITICAL - 10.0

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: azure_devops
Published: May 07, 2026
Source: NVD
CVE-2026-41929 MEDIUM - 6.1

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or ...

Vendor: givanz
Product: Vvveb
Published: May 07, 2026
Source: NVD
CVE-2026-41928 MEDIUM - 5.3

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response...

Vendor: givanz
Product: Vvveb
Published: May 07, 2026
Source: NVD
CVE-2026-41105 HIGH - 8.1

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_monitor_action_group_notification_system
Published: May 07, 2026
Source: NVD
CVE-2026-40214 MEDIUM - 6.3

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi ...

Vendor: OpenStack
Product: Cyborg
Published: May 07, 2026
Source: NVD
CVE-2026-40213 HIGH - 7.4

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments c...

Vendor: OpenStack
Product: Cyborg
Published: May 07, 2026
Source: NVD
CVE-2026-35435 HIGH - 8.6

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_ai_foundry
Published: May 07, 2026
Source: NVD
CVE-2026-35428 CRITICAL - 9.6

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: azure_cloud_shell
Published: May 07, 2026
Source: NVD
CVE-2026-34327 HIGH - 8.2

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: partner_center
Published: May 07, 2026
Source: NVD
CVE-2026-33844 CRITICAL - 9.0

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_managed_instance_for_apache_cassandra
Published: May 07, 2026
Source: NVD
CVE-2026-33823 CRITICAL - 9.6

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

Vendor: microsoft
Product: teams
Published: May 07, 2026
Source: NVD
CVE-2026-33111 HIGH - 7.5

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-33109 CRITICAL - 9.9

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: azure_managed_instance_for_apache_cassandra
Published: May 07, 2026
Source: NVD
CVE-2026-32207 HIGH - 8.8

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: azure_machine_learning
Published: May 07, 2026
Source: NVD
CVE-2026-26164 HIGH - 7.5

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-26129 HIGH - 7.5

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot_chat
Published: May 07, 2026
Source: NVD
CVE-2026-44641 HIGH - 7.1

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but th...

Vendor: pip
Product: apm-cli
Published: May 07, 2026
Source: GitHub
CVE-2026-8098 HIGH - 7.3

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly an...

Published: May 07, 2026
Source: NVD
CVE-2026-8097 MEDIUM - 6.3

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be...

Published: May 07, 2026
Source: NVD