Total CVEs

145,712

Critical Severity

4,267

High Severity

15,730

Last 7 Days

2,375
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,481 - 15,500 of 42,117 CVEs
CVE-2026-37281 CRITICAL - 9.8

An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter.

Published: May 19, 2026
Source: NVD
CVE-2026-31072 CRITICAL - 9.8

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

Published: May 19, 2026
Source: NVD
CVE-2026-31071 CRITICAL - 9.1

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescrip...

Published: May 19, 2026
Source: NVD
CVE-2026-31070 CRITICAL - 9.8

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

Published: May 19, 2026
Source: NVD
CVE-2026-31069 HIGH - 8.8

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although fi...

Published: May 19, 2026
Source: NVD
CVE-2026-30118 CRITICAL - 9.8

scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentica...

Published: May 19, 2026
Source: NVD
CVE-2026-30117 CRITICAL - 9.8

scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.

Published: May 19, 2026
Source: NVD

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token&...

Vendor: pip
Product: strawberry-graphql
Published: May 19, 2026
Source: GitHub
CVE-2026-45738 HIGH - 7.3

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/* annotations whose pipe-separated values are rendered by ui/src/app/applications/components/application-summary/a...

Vendor: go
Product: github.com/argoproj/argo-cd/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45737 MEDIUM - 6.3

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From 3.2.0 until 3.2.12, 3.3.10, and 3.4.2, Argo CD ServerSideDiff can expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation because HideSecretData(target, live, ...) does ...

Vendor: go
Product: github.com/argoproj/argo-cd/v3
Published: May 19, 2026
Source: GitHub
CVE-2026-45713 HIGH - 7.5

Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45712 MEDIUM - 5.9

Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45711 MEDIUM - 5.9

Mailpit: Path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45709 MEDIUM - 5.8

Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer

Vendor: go
Product: github.com/axllent/mailpit
Published: May 19, 2026
Source: GitHub
CVE-2026-45692 MEDIUM - 5.4

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config...

Vendor: go
Product: github.com/caddyserver/caddy/v2
Published: May 19, 2026
Source: GitHub
CVE-2026-45670 MEDIUM - 5.4

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack...

Vendor: npm
Product: @nuxt/rspack-builder
Published: May 19, 2026
Source: GitHub
CVE-2026-45669 MEDIUM - 5.4

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only s...

Vendor: npm
Product: nuxt
Published: May 19, 2026
Source: GitHub
CVE-2026-45758 CRITICAL - 9.6

Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. Aany user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026 may be affected. Security r...

Vendor: pip
Product: guardrails-ai
Published: May 19, 2026
Source: GitHub
CVE-2026-45581 MEDIUM - 5.5

fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in pl...

Vendor: maven
Product: org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim
Published: May 19, 2026
Source: GitHub

zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, `zrok2 copy` stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the source inventory and passes them to FilesystemTarget.WriteStream, allowing the sync pipeline to write fi...

Vendor: go
Product: github.com/openziti/zrok/v2
Published: May 19, 2026
Source: GitHub