Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,581 - 15,600 of 38,432 CVEs

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched i...

Vendor: rubygems
Product: net-imap
Published: May 04, 2026
Source: GitHub

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of...

Vendor: rubygems
Product: net-imap
Published: May 04, 2026
Source: GitHub

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are ...

Vendor: rubygems
Product: net-imap
Published: May 04, 2026
Source: GitHub

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions ...

Vendor: rubygems
Product: net-imap
Published: May 04, 2026
Source: GitHub
CVE-2026-42601 CRITICAL - 9.8

ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins ru...

Vendor: pip
Product: archivebox
Published: May 04, 2026
Source: GitHub
CVE-2026-42575 HIGH - 7.5

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available...

Vendor: go
Product: chainguard.dev/apko
Published: May 04, 2026
Source: GitHub
CVE-2026-42574 HIGH - 7.5

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or l...

Vendor: go
Product: chainguard.dev/apko
Published: May 04, 2026
Source: GitHub
CVE-2026-42576 MEDIUM - 6.5

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g....

Vendor: go
Product: chainguard.dev/apko
Published: May 04, 2026
Source: GitHub

Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user ...

Vendor: go
Product: github.com/pelicanplatform/pelican
Published: May 04, 2026
Source: GitHub
CVE-2026-42569 CRITICAL - 9.4

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

Vendor: composer
Product: nabeel/phpvms
Published: May 04, 2026
Source: GitHub
CVE-2026-42606 HIGH - 8.1

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to an...

Vendor: composer
Product: azuracast/azuracast
Published: May 04, 2026
Source: GitHub
CVE-2026-42605 HIGH - 8.8

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem s...

Vendor: composer
Product: azuracast/azuracast
Published: May 04, 2026
Source: GitHub
CVE-2026-7779 MEDIUM - 4.3

A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation o...

Published: May 04, 2026
Source: NVD
CVE-2026-42238 CRITICAL - 9.8

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upl...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42223 MEDIUM - 6.5

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however,...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42222 HIGH - 8.1

Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42221 HIGH - 8.1

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42220 MEDIUM - 6.5

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret ...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A securi...

Vendor: maven
Product: io.quarkiverse.openapi.generator:quarkus-openapi-generator
Published: May 04, 2026
Source: GitHub
CVE-2026-41901 CRITICAL - 9.0

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expression...

Vendor: maven
Product: org.thymeleaf:thymeleaf
Published: May 04, 2026
Source: GitHub