Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,760
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,001 - 15,020 of 38,432 CVEs
CVE-2026-33079 HIGH - 7.5

In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alte...

Vendor: lepture
Product: mistune
Published: May 06, 2026
Source: NVD
CVE-2026-29090 CRITICAL - 9.9

### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search...

Vendor: rucio
Product: rucio
Published: May 06, 2026
Source: NVD

DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.

Vendor: npm
Product: dssrf
Published: May 06, 2026
Source: GitHub

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checkin...

Vendor: composer
Product: craftcms/cms
Published: May 06, 2026
Source: GitHub
CVE-2026-44226 MEDIUM - 5.3

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template name...

Vendor: pip
Product: pyload-ng
Published: May 06, 2026
Source: GitHub

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled c...

Vendor: composer
Product: craftcms/cms
Published: May 06, 2026
Source: GitHub

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read eve...

Vendor: composer
Product: craftcms/cms
Published: May 06, 2026
Source: GitHub

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular...

Vendor: go
Product: github.com/QuantumNous/new-api
Published: May 06, 2026
Source: GitHub
CVE-2026-7875 HIGH - 8.8

NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content....

Published: May 06, 2026
Source: NVD
CVE-2026-42503 HIGH - 8.8

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This c...

Vendor: golang.org/x/tools
Product: golang.org/x/tools/gopls
Published: May 06, 2026
Source: NVD
CVE-2026-29080 CRITICAL - 9.9

A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). On Oracle deployments attacker-controlled filter keys and values are ...

Vendor: rucio
Product: rucio
Published: May 06, 2026
Source: NVD
CVE-2026-23870 HIGH - 7.5

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react...

Vendor: Meta
Product: react-server-dom-turbopack, react-server-dom-parcel, react-server-dom-webpack
Published: May 06, 2026
Source: NVD

Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3.

Vendor: JohnsonControls
Product: AC2000
Published: May 06, 2026
Source: NVD
CVE-2026-20219 MEDIUM - 5.4

A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed ...

Vendor: Cisco
Product: Cisco Webex Meetings, Cisco Slido
Published: May 06, 2026
Source: NVD
CVE-2026-20195 MEDIUM - 5.3

A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exp...

Vendor: Cisco
Product: Cisco Identity Services Engine Software
Published: May 06, 2026
Source: NVD
CVE-2026-20193 MEDIUM - 4.3

A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an&nbsp;authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access contro...

Vendor: Cisco
Product: Cisco Identity Services Engine Software
Published: May 06, 2026
Source: NVD
CVE-2026-20189 MEDIUM - 4.3

A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an&nbsp;authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker coul...

Vendor: Cisco
Product: Cisco Prime Infrastructure
Published: May 06, 2026
Source: NVD
CVE-2026-20188 HIGH - 7.5

A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadeq...

Vendor: Cisco
Product: Cisco Crosswork Network Change Automation, Cisco Network Services Orchestrator
Published: May 06, 2026
Source: NVD
CVE-2026-20185 HIGH - 7.7

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of&nbsp;Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X)&nbsp;firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on a...

Vendor: Cisco
Product: Cisco Small Business Smart and Managed Switches
Published: May 06, 2026
Source: NVD
CVE-2026-20172 MEDIUM - 4.3

A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulne...

Vendor: Cisco
Product: Cisco Enterprise Chat and Email
Published: May 06, 2026
Source: NVD