Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,840
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 14,621 - 14,640 of 38,923 CVEs
CVE-2026-42202 MEDIUM - 6.5

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip bo...

Vendor: almirhodzic
Product: nova-toggle-5
Published: May 08, 2026
Source: NVD
CVE-2026-42199 MEDIUM - 6.2

Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid’s logical dimensions and its backing storage. After the internal invariant is broken, the safe API get() may invoke get_unchec...

Vendor: becheran
Product: grid
Published: May 08, 2026
Source: NVD

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab&qu...

Vendor: jgraph
Product: drawio
Published: May 08, 2026
Source: NVD
CVE-2026-42193 CRITICAL - 9.1

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook r...

Vendor: useplunk
Product: plunk
Published: May 08, 2026
Source: NVD
CVE-2026-42192 MEDIUM - 5.4

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboa...

Vendor: useplunk
Product: plunk
Published: May 08, 2026
Source: NVD

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.

Vendor: emlog
Product: emlog
Published: May 08, 2026
Source: NVD
CVE-2026-44400 HIGH - 8.1

MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMai...

Vendor: MailEnable
Product: MailEnable Enterprise Premium
Published: May 08, 2026
Source: NVD
CVE-2026-44214 MEDIUM - 5.8

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events...

Vendor: npm
Product: eventsource-encoder
Published: May 08, 2026
Source: GitHub
CVE-2026-44213 MEDIUM - 6.5

The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANA_ENDPOINT_P...

Vendor: nuget
Product: OpenTelemetry.Exporter.Instana
Published: May 08, 2026
Source: GitHub
CVE-2026-44247 MEDIUM - 6.8

Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially cau...

Vendor: go
Product: volcano.sh/volcano
Published: May 08, 2026
Source: GitHub
CVE-2026-44211 CRITICAL - 9.6

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available patches.

Vendor: npm
Product: cline
Published: May 08, 2026
Source: GitHub
CVE-2026-44209 HIGH - 7.5

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Inject...

Vendor: pip
Product: banks
Published: May 08, 2026
Source: GitHub
CVE-2026-44728 HIGH - 8.2

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-...

Vendor: npm
Product: @babel/plugin-transform-modules-systemjs
Published: May 08, 2026
Source: GitHub
CVE-2026-44200 MEDIUM - 6.5

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish ...

Vendor: pip
Product: wagtail
Published: May 08, 2026
Source: GitHub
CVE-2026-44201 MEDIUM - 5.3

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulner...

Vendor: pip
Product: wagtail
Published: May 08, 2026
Source: GitHub
CVE-2026-44199 MEDIUM - 6.5

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to...

Vendor: pip
Product: wagtail
Published: May 08, 2026
Source: GitHub
CVE-2026-44198 MEDIUM - 4.3

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7...

Vendor: pip
Product: wagtail
Published: May 08, 2026
Source: GitHub
CVE-2026-44197 MEDIUM - 6.5

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disc...

Vendor: pip
Product: wagtail
Published: May 08, 2026
Source: GitHub
CVE-2026-7807 HIGH - 8.1

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms ...

Published: May 08, 2026
Source: NVD
CVE-2026-42282 MEDIUM - 4.3

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the requ...

Vendor: czlonkowski
Product: n8n-mcp
Published: May 08, 2026
Source: NVD