Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,507
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 15,621 - 15,640 of 40,198 CVEs
CVE-2026-44573 HIGH - 7.5

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<...

Vendor: npm
Product: next
Published: May 11, 2026
Source: GitHub

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 Β§6.9.5.1 β€” it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurre...

Vendor: go
Product: github.com/ellanetworks/core
Published: May 11, 2026
Source: GitHub
CVE-2026-44475 MEDIUM - 6.1

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with ...

Vendor: go
Product: github.com/ellanetworks/core
Published: May 11, 2026
Source: GitHub
CVE-2026-44473 HIGH - 7.1

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-conne...

Vendor: go
Product: github.com/ellanetworks/core
Published: May 11, 2026
Source: GitHub
CVE-2026-45017 HIGH - 7.5

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render...

Vendor: pip
Product: python-liquid
Published: May 11, 2026
Source: GitHub
CVE-2026-44432 HIGH - 7.5

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dra...

Vendor: pip
Product: urllib3
Published: May 11, 2026
Source: GitHub
CVE-2026-44431 HIGH - 5.3

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

Vendor: pip
Product: urllib3
Published: May 11, 2026
Source: GitHub

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose valu...

Vendor: go
Product: github.com/go-git/go-git/v6
Published: May 11, 2026
Source: GitHub
CVE-2026-44971 HIGH - 8.2

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an ...

Vendor: pip
Product: guarddog
Published: May 11, 2026
Source: GitHub
CVE-2026-44972 MEDIUM - 5.0

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject AN...

Vendor: pip
Product: guarddog
Published: May 11, 2026
Source: GitHub
CVE-2026-44902 HIGH - 7.5

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid ...

Vendor: npm
Product: @opentelemetry/exporter-prometheus
Published: May 11, 2026
Source: GitHub
CVE-2026-44353 MEDIUM - 6.5

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/fi...

Vendor: pip
Product: streamlink
Published: May 11, 2026
Source: GitHub
CVE-2026-44346 HIGH - 8.8

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentom...

Vendor: pip
Product: bentoml
Published: May 11, 2026
Source: GitHub
CVE-2026-44345 HIGH - 8.8

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bent...

Vendor: pip
Product: bentoml
Published: May 11, 2026
Source: GitHub
CVE-2026-44570 HIGH - 8.3

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memori...

Vendor: pip
Product: open-webui
Published: May 11, 2026
Source: GitHub
CVE-2026-8290 MEDIUM - 4.3

A security flaw has been discovered in Open5GS up to 2.7.7. This issue affects the function smf_nsmf_handle_update_data_in_vsmf of the file /src/smf/nsmf-handler.c of the component SMF. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been released ...

Vendor: open5gs
Product: open5gs
Published: May 11, 2026
Source: NVD
CVE-2026-8289 MEDIUM - 4.3

A vulnerability was identified in Open5GS up to 2.7.7. This vulnerability affects the function smf_nsmf_handle_update_data_in_vsmf of the file /src/smf/nsmf-handler.c of the component SMF. The manipulation of the argument qosFlowProfile leads to denial of service. Remote exploitation of the attack i...

Vendor: open5gs
Product: open5gs
Published: May 11, 2026
Source: NVD
CVE-2026-4802 HIGH - 8.0

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substi...

Published: May 11, 2026
Source: NVD
CVE-2026-44985 HIGH - 9.6

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables C...

Vendor: go
Product: github.com/amir20/dozzle
Published: May 11, 2026
Source: GitHub
CVE-2026-44571 MEDIUM - 6.5

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update can be accessed with read ...

Vendor: pip
Product: open-webui
Published: May 11, 2026
Source: GitHub