Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,755
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,581 - 14,600 of 38,432 CVEs

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-34429. Reason: This candidate is a duplicate of CVE-2026-34429. Notes: All CVE users should reference CVE-2026-34429 instead of this candidate.

Published: May 07, 2026
Source: NVD
CVE-2026-41692 MEDIUM - 4.7

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/loc...

Vendor: i18next
Product: i18nextify
Published: May 07, 2026
Source: NVD
CVE-2026-41691 MEDIUM - 6.5

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template w...

Vendor: i18next
Product: i18next-http-backend
Published: May 07, 2026
Source: NVD
CVE-2026-44523 CRITICAL - 10.0

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: May 07, 2026
Source: GitHub

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored dir...

Vendor: go
Product: github.com/enchant97/note-mark/backend
Published: May 07, 2026
Source: GitHub
CVE-2026-44497 CRITICAL - 9.1

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of retur...

Vendor: rust
Product: zebra-script
Published: May 07, 2026
Source: GitHub
CVE-2026-44500 MEDIUM - 5.3

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter prot...

Vendor: rust
Product: zebra-network
Published: May 07, 2026
Source: GitHub
CVE-2026-44498 CRITICAL - 7.5

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a ...

Vendor: rust
Product: zebrad
Published: May 07, 2026
Source: GitHub

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validati...

Vendor: npm
Product: nuxt-og-image
Published: May 07, 2026
Source: GitHub
CVE-2026-8142 MEDIUM - 6.5

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

Published: May 07, 2026
Source: NVD
CVE-2026-8088 LOW - 3.3

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD
CVE-2026-8087 MEDIUM - 5.3

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The expl...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD
CVE-2026-43510 HIGH - 7.6

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.

Vendor: CISA
Product: manage.get.gov
Published: May 07, 2026
Source: NVD
CVE-2026-42501 HIGH - 7.5

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered vers...

Vendor: Go toolchain
Product: cmd/go
Published: May 07, 2026
Source: NVD
CVE-2026-42499 HIGH - 7.5

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Vendor: Go standard library
Product: net/mail
Published: May 07, 2026
Source: NVD

Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward ...

Vendor: saltcorn
Product: saltcorn
Published: May 07, 2026
Source: NVD
CVE-2026-42241 MEDIUM - 5.3

ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this cou...

Vendor: G-Research
Product: ParquetSharp
Published: May 07, 2026
Source: NVD
CVE-2026-42239 HIGH - 8.1

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full acco...

Vendor: Budibase
Product: budibase
Published: May 07, 2026
Source: NVD
CVE-2026-42225 MEDIUM - 5.9

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via ve...

Vendor: pjsip
Product: pjproject
Published: May 07, 2026
Source: NVD
CVE-2026-39836 HIGH - 7.5

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Vendor: Go standard library
Product: net
Published: May 07, 2026
Source: NVD