Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,601 - 15,620 of 38,432 CVEs
CVE-2026-41895 HIGH - 7.5

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed enti...

Vendor: pip
Product: changedetection.io
Published: May 04, 2026
Source: GitHub
CVE-2026-41893 HIGH - 7.5

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSo...

Vendor: npm
Product: signalk-server
Published: May 04, 2026
Source: GitHub

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0....

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: May 04, 2026
Source: GitHub

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are pas...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: May 04, 2026
Source: GitHub
CVE-2026-41888 MEDIUM - 6.5

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the ...

Vendor: go
Product: github.com/distribution/distribution/v3
Published: May 04, 2026
Source: GitHub
CVE-2026-42311 HIGH - 7.8

Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-42310 MEDIUM - 5.5

Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-42308 MEDIUM - 5.5

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-42309 MEDIUM - 5.5

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively ...

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-7768 HIGH - 7.5

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js...

Vendor: npm
Product: @fastify/accepts-serializer
Published: May 04, 2026
Source: NVD
CVE-2026-6321 HIGH - 7.5

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

Vendor: npm
Product: fast-uri
Published: May 04, 2026
Source: NVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based buffer overflow vulnerability in the firewall.cgi and makeRequest.cgi binaries that allows unauthenticated attackers to overwrite the saved return address by sending a POST request with a Content-Length header exceeding 51...

Vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
Product: WDR201A WiFi Extender
Published: May 04, 2026
Source: NVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, webs...

Vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
Product: WDR201A WiFi Extender
Published: May 04, 2026
Source: NVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. A...

Vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
Product: WDR201A WiFi Extender
Published: May 04, 2026
Source: NVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can...

Vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
Product: WDR201A WiFi Extender
Published: May 04, 2026
Source: NVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsani...

Vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
Product: WDR201A WiFi Extender
Published: May 04, 2026
Source: NVD

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can ex...

Vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
Product: WDR201A WiFi Extender
Published: May 04, 2026
Source: NVD

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2026-6074. Reason: This record is a reservation duplicate of CVE-2026-6074. Notes: All CVE users should reference CVE-2026-6074 instead of this record. All references and descriptions in this record have been removed to prevent accidental ...

Published: May 04, 2026
Source: NVD
CVE-2025-67796 HIGH - 8.1

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data...

Published: May 04, 2026
Source: NVD
CVE-2026-42301 HIGH - 7.8

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so...

Vendor: pip
Product: pyp2spec
Published: May 04, 2026
Source: GitHub