Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,743
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,301 - 15,320 of 38,432 CVEs
CVE-2026-35253 MEDIUM - 4.7

Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerabili...

Vendor: Oracle Corporation
Product: Oracle Macaron Tool of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript woul...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD
CVE-2026-2306 MEDIUM - 4.3

The Ninja Tables โ€“ Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subs...

Published: May 06, 2026
Source: NVD
CVE-2026-5753 MEDIUM - 6.5

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabi...

Published: May 06, 2026
Source: NVD
CVE-2026-3208 MEDIUM - 5.3

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to...

Published: May 06, 2026
Source: NVD
CVE-2026-7573 MEDIUM - 5.0

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org para...

Published: May 06, 2026
Source: NVD
CVE-2026-7572 MEDIUM - 4.4

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx V...

Published: May 06, 2026
Source: NVD
CVE-2025-71256 HIGH - 7.5

In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71255 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71254 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71253 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71252 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71251 HIGH - 7.5

In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Vendor: Paramiko
Product: Paramiko
Published: May 06, 2026
Source: NVD
CVE-2026-44221 CRITICAL - 9.0

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninit...

Vendor: maven
Product: com.arcadedb:arcadedb-server
Published: May 05, 2026
Source: GitHub
CVE-2026-44222 MEDIUM - 6.5

vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLMโ€™s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequ...

Vendor: pip
Product: vllm
Published: May 05, 2026
Source: GitHub

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an up...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub

ciguard is a static security auditor for CI/CD pipelines. From 0.8.0 to 0.8.1 , the discover_pipeline_files() function in src/ciguard/discovery.py walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory ...

Vendor: pip
Product: ciguard
Published: May 05, 2026
Source: GitHub