Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,681 - 15,700 of 38,432 CVEs
CVE-2026-42077 MEDIUM - 5.2

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in...

Vendor: EvoMap
Product: evolver
Published: May 04, 2026
Source: NVD
CVE-2026-42076 CRITICAL - 9.8

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to...

Vendor: EvoMap
Product: evolver
Published: May 04, 2026
Source: NVD
CVE-2026-42075 HIGH - 8.1

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enablin...

Vendor: EvoMap
Product: evolver
Published: May 04, 2026
Source: NVD
CVE-2026-42027 CRITICAL - 9.8

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description:  The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no...

Vendor: Apache Software Foundation
Product: Apache OpenNLP
Published: May 04, 2026
Source: NVD
CVE-2026-40682 CRITICAL - 9.1

XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCES...

Vendor: Apache Software Foundation
Product: Apache OpenNLP
Published: May 04, 2026
Source: NVD
CVE-2026-38669 MEDIUM - 6.1

wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.

Published: May 04, 2026
Source: NVD
CVE-2026-37461 HIGH - 7.5

An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Vendor: osrg
Product: gobgp
Published: May 04, 2026
Source: NVD
CVE-2026-29514 HIGH - 8.8

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the env...

Vendor: netbox-community
Product: netbox
Published: May 04, 2026
Source: NVD
CVE-2026-26956 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

Vendor: patriksimek
Product: vm2
Published: May 04, 2026
Source: NVD
CVE-2026-26332 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Vendor: patriksimek
Product: vm2
Published: May 04, 2026
Source: NVD
CVE-2026-25293 CRITICAL - 9.6

Buffer overflow due to incorrect authorization in PLC FW

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD
CVE-2026-25266 MEDIUM - 5.5

Memory corruption while processing IOCTL command when device is in power-save state.

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD
CVE-2026-24781 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patc...

Vendor: patriksimek
Product: vm2
Published: May 04, 2026
Source: NVD
CVE-2026-24120 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3...

Vendor: patriksimek
Product: vm2
Published: May 04, 2026
Source: NVD
CVE-2026-24118 CRITICAL - 9.8

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Vendor: patriksimek
Product: vm2
Published: May 04, 2026
Source: NVD
CVE-2026-24082 HIGH - 7.8

Memory Corruption when copying data from a freed source while executing performance counter deselect operation.

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD
CVE-2025-47408 HIGH - 7.8

Memory corruption when another driver calls an IOCTL with invalid input/output buffer.

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD
CVE-2025-47407 HIGH - 7.8

Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level.

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD
CVE-2025-47406 MEDIUM - 6.1

Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD
CVE-2025-47405 HIGH - 7.8

Memory corruption when processing camera sensor input/output control codes with invalid output buffers.

Vendor: Qualcomm, Inc.
Product: Snapdragon
Published: May 04, 2026
Source: NVD