Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,755
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,601 - 14,620 of 38,432 CVEs
CVE-2026-39826 MEDIUM - 6.1

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Vendor: Go standard library
Product: html/template
Published: May 07, 2026
Source: NVD
CVE-2026-39825 MEDIUM - 5.3

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReversePro...

Vendor: Go standard library
Product: net/http/httputil
Published: May 07, 2026
Source: NVD
CVE-2026-39823 MEDIUM - 6.1

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly ...

Vendor: Go standard library
Product: html/template
Published: May 07, 2026
Source: NVD
CVE-2026-39820 HIGH - 7.5

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Vendor: Go standard library
Product: net/mail
Published: May 07, 2026
Source: NVD
CVE-2026-39819 MEDIUM - 5.3

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlin...

Vendor: Go toolchain
Product: cmd/go
Published: May 07, 2026
Source: NVD
CVE-2026-39817 MEDIUM - 5.9

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

Vendor: Go toolchain
Product: cmd/go
Published: May 07, 2026
Source: NVD
CVE-2026-33814 HIGH - 7.5

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Vendor: golang.org/x/net, Go standard library
Product: golang.org/x/net/http2, net/http
Published: May 07, 2026
Source: NVD
CVE-2026-33811 HIGH - 7.5

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Vendor: Go standard library
Product: net
Published: May 07, 2026
Source: NVD
CVE-2026-42879 MEDIUM - 6.3

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (us...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-42878 MEDIUM - 5.3

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-42877 MEDIUM - 5.4

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An au...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick coo...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-27892 MEDIUM - 6.5

FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metad...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-27891 HIGH - 7.2

FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leadin...

Vendor: composer
Product: facturascripts/facturascripts
Published: May 07, 2026
Source: GitHub
CVE-2026-8086 MEDIUM - 5.3

A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly avai...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD
CVE-2026-8084 LOW - 3.3

A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has...

Vendor: osgeo
Product: gdal
Published: May 07, 2026
Source: NVD
CVE-2026-8083 HIGH - 7.3

A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be u...

Published: May 07, 2026
Source: NVD
CVE-2026-44742 HIGH - 7.2

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.

Vendor: Postorius project
Product: Postorius
Published: May 07, 2026
Source: NVD
CVE-2026-42284 CRITICAL - 9.8

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (st...

Vendor: gitpython_project
Product: gitpython
Published: May 07, 2026
Source: NVD
CVE-2026-42215 HIGH - 8.8

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an appli...

Vendor: gitpython-developers
Product: GitPython
Published: May 07, 2026
Source: NVD