Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 15,321 - 15,340 of 38,432 CVEs

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2.

Vendor: pip
Product: ciguard
Published: May 05, 2026
Source: GitHub
CVE-2026-44219 MEDIUM - 3.7

ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endo...

Vendor: pip
Product: ciguard
Published: May 05, 2026
Source: GitHub

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the ...

Vendor: npm
Product: sse-channel
Published: May 05, 2026
Source: GitHub
CVE-2026-43884 HIGH - 7.7

WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's aut...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43883 MEDIUM - 4.2

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authentica...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-28780 CRITICAL - 9.8

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This is...

Vendor: Apache Software Foundation
Product: Apache HTTP Server
Published: May 05, 2026
Source: NVD
CVE-2026-43882 MEDIUM - 4.3

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper ...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43881 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller ...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42348 MEDIUM - 5.9

OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could c...

Vendor: nuget
Product: OpenTelemetry.OpAmp.Client
Published: May 05, 2026
Source: GitHub
CVE-2026-43880 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42338 MEDIUM - 6.1

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6...

Vendor: npm
Product: ip-address
Published: May 05, 2026
Source: GitHub
CVE-2026-43879 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). Whe...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42541 MEDIUM - 4.3

Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enu...

Vendor: go
Product: github.com/kubewarden/kubewarden-controller
Published: May 05, 2026
Source: GitHub
CVE-2026-42334 HIGH - 7.5

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query o...

Vendor: npm
Product: mongoose
Published: May 05, 2026
Source: GitHub

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. Op...

Vendor: rust
Product: openssl
Published: May 05, 2026
Source: GitHub
CVE-2026-42611 HIGH - 8.9

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42608 HIGH - 9.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42609 HIGH - 8.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42612 HIGH - 8.5

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attribut...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42610 MEDIUM - 6.5

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user object...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub