Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,621 - 15,640 of 38,432 CVEs
CVE-2026-42295 HIGH - 4.9

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git ...

Vendor: go
Product: github.com/argoproj/argo-workflows/v4
Published: May 04, 2026
Source: GitHub
CVE-2026-42296 HIGH - 8.1

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod securit...

Vendor: go
Product: github.com/argoproj/argo-workflows/v3
Published: May 04, 2026
Source: GitHub
CVE-2026-42294 HIGH - 7.5

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api...

Vendor: go
Product: github.com/argoproj/argo-workflows/v3
Published: May 04, 2026
Source: GitHub

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match ...

Vendor: go
Product: github.com/argoproj/argo-workflows/v4
Published: May 04, 2026
Source: GitHub
CVE-2026-42297 HIGH - 8.3

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, r...

Vendor: go
Product: github.com/argoproj/argo-workflows/v4
Published: May 04, 2026
Source: GitHub

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.

Vendor: composer
Product: getkirby/cms
Published: May 04, 2026
Source: GitHub

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

Vendor: composer
Product: getkirby/cms
Published: May 04, 2026
Source: GitHub

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

Vendor: composer
Product: getkirby/cms
Published: May 04, 2026
Source: GitHub
CVE-2026-41685 MEDIUM - 4.3

Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_volume and storage.b...

Vendor: go
Product: github.com/lxc/incus/v6/cmd/incusd
Published: May 04, 2026
Source: GitHub
CVE-2026-41684 MEDIUM - 6.5

Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inl...

Vendor: go
Product: github.com/lxc/incus/v6/cmd/incusd
Published: May 04, 2026
Source: GitHub

Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when par...

Vendor: go
Product: github.com/lxc/incus/v6/cmd/incusd
Published: May 04, 2026
Source: GitHub
CVE-2026-41647 MEDIUM - 6.5

Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.

Vendor: go
Product: github.com/lxc/incus/v6/cmd/incusd
Published: May 04, 2026
Source: GitHub
CVE-2026-41258 CRITICAL - 9.1

OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The Velocit...

Vendor: maven
Product: org.openmrs.api:openmrs-api
Published: May 04, 2026
Source: GitHub
CVE-2026-41181 MEDIUM - 5.8

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matching the configured status range, the middleware forwards t...

Vendor: go
Product: github.com/traefik/traefik/v2
Published: May 04, 2026
Source: GitHub
CVE-2026-40893 HIGH - 8.2

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. Th...

Vendor: go
Product: github.com/gotenberg/gotenberg/v8
Published: May 04, 2026
Source: GitHub
CVE-2026-40251 MEDIUM - 6.5

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bo...

Vendor: go
Product: github.com/lxc/incus/v6/cmd/incusd
Published: May 04, 2026
Source: GitHub

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

Vendor: Postfix
Product: Postfix
Published: May 04, 2026
Source: NVD
CVE-2026-42154 HIGH - 7.5

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a smal...

Vendor: prometheus
Product: prometheus
Published: May 04, 2026
Source: NVD
CVE-2026-42151 HIGH - 7.5

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving ...

Vendor: prometheus
Product: prometheus
Published: May 04, 2026
Source: NVD
CVE-2026-38751 HIGH - 7.2

OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)

Published: May 04, 2026
Source: NVD