Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,900
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,581 - 15,600 of 38,670 CVEs
CVE-2026-42841 MEDIUM - 4.8

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42607 CRITICAL - 9.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, i...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42843 HIGH - 8.8

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any aut...

Vendor: composer
Product: getgrav/grav-plugin-api
Published: May 05, 2026
Source: GitHub
CVE-2026-42315 HIGH - 8.1

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbi...

Vendor: pip
Product: pyload-ng
Published: May 05, 2026
Source: GitHub
CVE-2026-44167 HIGH - 7.5

phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52.

Vendor: composer
Product: phpseclib/phpseclib
Published: May 05, 2026
Source: GitHub
CVE-2026-44166 MEDIUM - 7.6

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". ...

Vendor: go
Product: github.com/pocketbase/pocketbase
Published: May 05, 2026
Source: GitHub
CVE-2026-41950 MEDIUM - 6.5

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insuffi...

Vendor: langgenius
Product: dify
Published: May 05, 2026
Source: NVD
CVE-2026-39849 HIGH - 8.8

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsma...

Vendor: pi-hole
Product: FTL
Published: May 05, 2026
Source: NVD
CVE-2026-39402 MEDIUM - 6.5

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a d...

Vendor: lxc
Product: lxc
Published: May 05, 2026
Source: NVD
CVE-2026-43891 HIGH - 7.5

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extr...

Vendor: pip
Product: changedetection.io
Published: May 05, 2026
Source: GitHub
CVE-2026-42314 MEDIUM - 6.5

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolve...

Vendor: pip
Product: pyload-ng
Published: May 05, 2026
Source: GitHub
CVE-2026-42304 HIGH - 7.5

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending ...

Vendor: pip
Product: Twisted
Published: May 05, 2026
Source: GitHub

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was neve...

Vendor: pip
Product: ethyca-fides
Published: May 05, 2026
Source: GitHub

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated atta...

Vendor: go
Product: github.com/l3montree-dev/devguard
Published: May 05, 2026
Source: GitHub
CVE-2026-42285 HIGH - 7.5

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribu...

Vendor: go
Product: github.com/osrg/gobgp/v4
Published: May 05, 2026
Source: GitHub
CVE-2026-42281 CRITICAL - 8.6

MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata...

Vendor: npm
Product: magicmirror
Published: May 05, 2026
Source: GitHub
CVE-2026-42267 MEDIUM - 5.7

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue()...

Vendor: composer
Product: kimai/kimai
Published: May 05, 2026
Source: GitHub
CVE-2026-42266 HIGH - 8.8

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The P...

Vendor: pip
Product: jupyterlab
Published: May 05, 2026
Source: GitHub
CVE-2026-42260 HIGH - 8.2

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF with t...

Vendor: npm
Product: open-websearch
Published: May 05, 2026
Source: GitHub
CVE-2026-43939 HIGH - 7.3

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output enc...

Vendor: nuget
Product: YAFNET.Core
Published: May 05, 2026
Source: GitHub