Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,827
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 15,701 - 15,720 of 38,803 CVEs
CVE-2026-43880 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42338 MEDIUM - 6.1

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6...

Vendor: npm
Product: ip-address
Published: May 05, 2026
Source: GitHub
CVE-2026-43879 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). Whe...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42541 MEDIUM - 4.3

Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enu...

Vendor: go
Product: github.com/kubewarden/kubewarden-controller
Published: May 05, 2026
Source: GitHub
CVE-2026-42334 HIGH - 7.5

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query o...

Vendor: npm
Product: mongoose
Published: May 05, 2026
Source: GitHub

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. Op...

Vendor: rust
Product: openssl
Published: May 05, 2026
Source: GitHub
CVE-2026-42611 HIGH - 8.9

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42608 HIGH - 9.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42609 HIGH - 8.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42612 HIGH - 8.5

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attribut...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42610 MEDIUM - 6.5

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user object...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42613 CRITICAL - 9.4

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the config...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42842 MEDIUM - 5.4

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42841 MEDIUM - 4.8

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters ...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42607 CRITICAL - 9.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, i...

Vendor: composer
Product: getgrav/grav
Published: May 05, 2026
Source: GitHub
CVE-2026-42843 HIGH - 8.8

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any aut...

Vendor: composer
Product: getgrav/grav-plugin-api
Published: May 05, 2026
Source: GitHub
CVE-2026-42315 HIGH - 8.1

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbi...

Vendor: pip
Product: pyload-ng
Published: May 05, 2026
Source: GitHub
CVE-2026-44167 HIGH - 7.5

phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52.

Vendor: composer
Product: phpseclib/phpseclib
Published: May 05, 2026
Source: GitHub
CVE-2026-44166 MEDIUM - 7.6

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". ...

Vendor: go
Product: github.com/pocketbase/pocketbase
Published: May 05, 2026
Source: GitHub
CVE-2026-41950 MEDIUM - 6.5

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insuffi...

Vendor: langgenius
Product: dify
Published: May 05, 2026
Source: NVD