Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,840
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,701 - 14,720 of 38,923 CVEs
CVE-2026-41693 HIGH - 8.2

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file f...

Vendor: i18next
Product: i18next-fs-backend
Published: May 08, 2026
Source: NVD
CVE-2026-41690 HIGH - 8.6

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach...

Vendor: i18next
Product: i18next-http-middleware
Published: May 08, 2026
Source: NVD
CVE-2026-34354 HIGH - 7.4

Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the Handl...

Vendor: Akamai
Product: Guardicore Platform Agent, Zero Trust Client
Published: May 08, 2026
Source: NVD
CVE-2026-29975 HIGH - 7.5

lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causin...

Published: May 08, 2026
Source: NVD
CVE-2026-29974 HIGH - 7.5

An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan on untrusted input are vulnerable to a stack buffer overflow.

Published: May 08, 2026
Source: NVD
CVE-2026-29972 HIGH - 8.2

nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response&#...

Published: May 08, 2026
Source: NVD
CVE-2026-44008 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and...

Vendor: npm
Product: vm2
Published: May 08, 2026
Source: GitHub
CVE-2026-40295 MEDIUM - 6.1

Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer โ€” the HTTP Referer header, which is attacker-controllable โ€” without validation for any non-GET re...

Vendor: rubygems
Product: devise
Published: May 08, 2026
Source: GitHub

In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ ...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: fs: init flags_valid before calling vfs_fileattr_get syzbot reported a uninit-value bug in [1]. Similar to the "*get" context where the kernel's internal file_kattr structure is initialized before calling vfs_filea...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation o...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs ...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if uf...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about thi...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2026-43469 HIGH - 7.5

In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receivi...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink loc...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix crash when moving to switchdev mode When moving to switchdev mode when the device doesn't support IPsec, we try to clean up the IPsec resources anyway which causes the crash below, fix that by correctly checking...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2026-43466 HIGH - 8.2

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. ...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2026-43465 CRITICAL - 9.8

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes ...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2026-43464 HIGH - 7.5

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes ta...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD