Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,722
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,401 - 15,420 of 38,432 CVEs
CVE-2026-42997 HIGH - 7.7

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or...

Vendor: OpenStack
Product: Ironic
Published: May 05, 2026
Source: NVD
CVE-2026-38428 CRITICAL - 9.8

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the databa...

Vendor: kestra
Product: kestra
Published: May 05, 2026
Source: NVD
CVE-2026-31835 MEDIUM - 5.4

Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature v...

Vendor: dani-garcia
Product: vaultwarden
Published: May 05, 2026
Source: NVD
CVE-2026-30923 HIGH - 7.5

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a si...

Vendor: owasp-modsecurity
Product: ModSecurity
Published: May 05, 2026
Source: NVD
CVE-2026-27960 CRITICAL - 9.8

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin a...

Vendor: OpenCTI-Platform
Product: opencti
Published: May 05, 2026
Source: NVD
CVE-2026-43878 MEDIUM - 6.1

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker who sends a victim to a crafted...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43877 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43876 MEDIUM - 6.4

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43875 MEDIUM - 6.8

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(h...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43874 HIGH - 7.2

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the ...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43873 HIGH - 7.5

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on eve...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42882 CRITICAL - 9.4

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the per...

Vendor: go
Product: github.com/oxyno-zeta/s3-proxy
Published: May 05, 2026
Source: GitHub
CVE-2026-42565 MEDIUM - 4.3

@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round...

Vendor: npm
Product: @workos/authkit-session
Published: May 05, 2026
Source: GitHub

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was ...

Vendor: go
Product: github.com/external-secrets/external-secrets
Published: May 05, 2026
Source: GitHub

Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection at...

Vendor: pip
Product: microdot
Published: May 05, 2026
Source: GitHub
CVE-2026-42048 CRITICAL - 9.6

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths withou...

Vendor: pip
Product: langflow
Published: May 05, 2026
Source: GitHub
CVE-2026-41417 MEDIUM - 5.3

Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same val...

Vendor: maven
Product: io.netty:netty-codec-http
Published: May 05, 2026
Source: GitHub
CVE-2026-42864 CRITICAL - 9.9

FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL va...

Vendor: pip
Product: firefighter-incident
Published: May 05, 2026
Source: GitHub
CVE-2026-7853 CRITICAL - 9.8

A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This manipulation of the argument enable/time causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made av...

Vendor: dlink
Product: di-8100_firmware
Published: May 05, 2026
Source: NVD
CVE-2026-7851 HIGH - 7.2

A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

Vendor: dlink
Product: di-8100_firmware
Published: May 05, 2026
Source: NVD