Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,731
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,341 - 15,360 of 38,432 CVEs
CVE-2026-42613 CRITICAL - 9.4

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the config...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42842 MEDIUM - 5.4

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42841 MEDIUM - 4.8

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42607 CRITICAL - 9.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, i...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42843 HIGH - 8.8

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any aut...

Vendor: composer
Product: getgrav/grav-plugin-api
Published: May 05, 2026
Source: GitHub
CVE-2026-42315 HIGH - 8.1

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbi...

Vendor: pip
Product: pyload-ng
Published: May 05, 2026
Source: GitHub
CVE-2026-44167 HIGH - 7.5

phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52.

Vendor: composer
Product: phpseclib/phpseclib
Published: May 05, 2026
Source: GitHub
CVE-2026-44166 MEDIUM - 7.6

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". ...

Vendor: go
Product: github.com/pocketbase/pocketbase
Published: May 05, 2026
Source: GitHub
CVE-2026-41950 MEDIUM - 6.5

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insuffi...

Vendor: langgenius
Product: dify
Published: May 05, 2026
Source: NVD
CVE-2026-39849 HIGH - 8.8

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsma...

Vendor: pi-hole
Product: FTL
Published: May 05, 2026
Source: NVD
CVE-2026-39402 MEDIUM - 6.5

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a d...

Vendor: lxc
Product: lxc
Published: May 05, 2026
Source: NVD
CVE-2026-43891 HIGH - 7.5

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extr...

Vendor: pip
Product: changedetection.io
Published: May 05, 2026
Source: GitHub
CVE-2026-42314 MEDIUM - 6.5

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolve...

Vendor: pip
Product: pyload-ng
Published: May 05, 2026
Source: GitHub
CVE-2026-42304 HIGH - 7.5

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending ...

Vendor: pip
Product: Twisted
Published: May 05, 2026
Source: GitHub

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was neve...

Vendor: pip
Product: ethyca-fides
Published: May 05, 2026
Source: GitHub

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated atta...

Vendor: go
Product: github.com/l3montree-dev/devguard
Published: May 05, 2026
Source: GitHub
CVE-2026-42285 HIGH - 7.5

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribu...

Vendor: go
Product: github.com/osrg/gobgp/v4
Published: May 05, 2026
Source: GitHub
CVE-2026-42281 CRITICAL - 8.6

MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata...

Vendor: npm
Product: magicmirror
Published: May 05, 2026
Source: GitHub
CVE-2026-42267 MEDIUM - 5.7

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue()...

Vendor: composer
Product: kimai/kimai
Published: May 05, 2026
Source: GitHub
CVE-2026-42266 HIGH - 8.8

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The P...

Vendor: pip
Product: jupyterlab
Published: May 05, 2026
Source: GitHub