Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,347
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,261 - 15,280 of 39,064 CVEs
CVE-2026-37709 CRITICAL - 9.8

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

Vendor: composer
Product: snipe/snipe-it
Published: May 07, 2026
Source: NVD
CVE-2026-7415 CRITICAL - 9.8

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of...

Vendor: yarbo
Product: lawn_mower_firmware
Published: May 07, 2026
Source: NVD
CVE-2026-7414 CRITICAL - 9.8

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone w...

Vendor: yarbo
Product: lawn_mower_firmware
Published: May 07, 2026
Source: NVD
CVE-2026-7413 HIGH - 7.2

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates.

Vendor: yarbo
Product: lawn_mower_firmware
Published: May 07, 2026
Source: NVD

Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victi...

Vendor: npm
Product: cinny
Published: May 07, 2026
Source: GitHub
CVE-2026-40610 MEDIUM - 5.5

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifac...

Vendor: pip
Product: bentoml
Published: May 07, 2026
Source: GitHub
CVE-2026-7821 HIGH - 7.4

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of th...

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-6973 HIGH - 7.2

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-5788 HIGH - 7.0

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-5787 HIGH - 8.9

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-5786 HIGH - 8.8

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

Vendor: ivanti
Product: endpoint_manager_mobile
Published: May 07, 2026
Source: NVD
CVE-2026-36388 MEDIUM - 5.4

A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application an...

Published: May 07, 2026
Source: NVD
CVE-2026-36387 MEDIUM - 6.5

A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE.

Published: May 07, 2026
Source: NVD
CVE-2026-36341 MEDIUM - 5.4

Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint

Published: May 07, 2026
Source: NVD
CVE-2025-65122 HIGH - 7.5

Regex Denial of Service in youtube-regex npm package through version 1.0.5.

Published: May 07, 2026
Source: NVD
CVE-2025-63704 CRITICAL - 9.8

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

Published: May 07, 2026
Source: NVD
CVE-2025-63703 CRITICAL - 9.8

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Published: May 07, 2026
Source: NVD
CVE-2025-4397 MEDIUM - 6.8

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

Published: May 07, 2026
Source: NVD
CVE-2025-4386 MEDIUM - 6.8

Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

Published: May 07, 2026
Source: NVD
CVE-2026-42011 HIGH - 7.4

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validati...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat Hardened Images, Red Hat OpenShift Container Platform 4
Published: May 07, 2026
Source: NVD