Total CVEs

145,577

Critical Severity

4,257

High Severity

15,676

Last 7 Days

2,260
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,341 - 15,360 of 41,982 CVEs
CVE-2026-46424 MEDIUM - 4.2

Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user iden...

Vendor: npm
Product: @budibase/backend-core
Published: May 19, 2026
Source: GitHub
CVE-2026-46337 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploade...

Vendor: composer
Product: WWBN/AVideo
Published: May 19, 2026
Source: GitHub
CVE-2026-45793 HIGH - 7.5

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUB_TOKEN values usin...

Vendor: composer
Product: composer/composer
Published: May 19, 2026
Source: GitHub
CVE-2026-8706 MEDIUM - 6.5

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.

Vendor: mozilla
Product: firefox
Published: May 19, 2026
Source: NVD
CVE-2026-5804 HIGH - 8.4

An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing ...

Published: May 19, 2026
Source: NVD
CVE-2026-37281 CRITICAL - 9.8

An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter.

Published: May 19, 2026
Source: NVD
CVE-2026-31072 CRITICAL - 9.8

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

Published: May 19, 2026
Source: NVD
CVE-2026-31071 CRITICAL - 9.1

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescrip...

Published: May 19, 2026
Source: NVD
CVE-2026-31070 CRITICAL - 9.8

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

Published: May 19, 2026
Source: NVD
CVE-2026-31069 HIGH - 8.8

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although fi...

Published: May 19, 2026
Source: NVD
CVE-2026-30118 CRITICAL - 9.8

scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentica...

Published: May 19, 2026
Source: NVD
CVE-2026-30117 CRITICAL - 9.8

scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.

Published: May 19, 2026
Source: NVD

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token&...

Vendor: pip
Product: strawberry-graphql
Published: May 19, 2026
Source: GitHub
CVE-2026-45738 HIGH - 7.3

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/a...

Vendor: go
Product: github.com/argoproj/argo-cd/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45737 MEDIUM - 6.3

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From 3.2.0 until 3.2.12, 3.3.10, and 3.4.2, Argo CD ServerSideDiff can expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation because HideSecretData(target, live, ...) does ...

Vendor: go
Product: github.com/argoproj/argo-cd/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45713 HIGH - 7.5

Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45712 MEDIUM - 5.9

Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45711 MEDIUM - 5.9

Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45709 MEDIUM - 5.8

Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45692 MEDIUM - 5.4

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config...

Vendor: go
Product: github.com/caddyserver/caddy/v2
Published: May 19, 2026
Source: GitHub