Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,827
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 15,721 - 15,740 of 38,803 CVEs
CVE-2026-39849 HIGH - 8.8

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsma...

Vendor: pi-hole
Product: FTL
Published: May 05, 2026
Source: NVD
CVE-2026-39402 MEDIUM - 6.5

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a d...

Vendor: lxc
Product: lxc
Published: May 05, 2026
Source: NVD
CVE-2026-43891 HIGH - 7.5

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extr...

Vendor: pip
Product: changedetection.io
Published: May 05, 2026
Source: GitHub
CVE-2026-42314 MEDIUM - 6.5

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolve...

Vendor: pip
Product: pyload-ng
Published: May 05, 2026
Source: GitHub
CVE-2026-42304 HIGH - 7.5

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending ...

Vendor: pip
Product: Twisted
Published: May 05, 2026
Source: GitHub

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was neve...

Vendor: pip
Product: ethyca-fides
Published: May 05, 2026
Source: GitHub

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated atta...

Vendor: go
Product: github.com/l3montree-dev/devguard
Published: May 05, 2026
Source: GitHub
CVE-2026-42285 HIGH - 7.5

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribu...

Vendor: go
Product: github.com/osrg/gobgp/v4
Published: May 05, 2026
Source: GitHub
CVE-2026-42281 CRITICAL - 8.6

MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata...

Vendor: npm
Product: magicmirror
Published: May 05, 2026
Source: GitHub
CVE-2026-42267 MEDIUM - 5.7

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue()...

Vendor: composer
Product: kimai/kimai
Published: May 05, 2026
Source: GitHub
CVE-2026-42266 HIGH - 8.8

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The P...

Vendor: pip
Product: jupyterlab
Published: May 05, 2026
Source: GitHub
CVE-2026-42260 HIGH - 8.2

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF with t...

Vendor: npm
Product: open-websearch
Published: May 05, 2026
Source: GitHub
CVE-2026-43939 HIGH - 7.3

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post or reply that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output enc...

Vendor: nuget
Product: YAFNET.Core
Published: May 05, 2026
Source: GitHub
CVE-2026-43937 HIGH - 8.8

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and pas...

Vendor: nuget
Product: YAFNET.Core
Published: May 05, 2026
Source: GitHub
CVE-2026-43938 HIGH - 8.1

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Descrip...

Vendor: nuget
Product: YAFNET.Core
Published: May 05, 2026
Source: GitHub

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive v...

Vendor: npm
Product: parse-server
Published: May 05, 2026
Source: GitHub
CVE-2026-43929 HIGH - 8.2

ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. http://[::ffff:127.0.0.1]/). The WHATWG URL parser bu...

Vendor: npm
Product: ssrfcheck
Published: May 05, 2026
Source: GitHub
CVE-2026-7857 HIGH - 7.2

A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may...

Vendor: dlink
Product: di-8100_firmware
Published: May 05, 2026
Source: NVD
CVE-2026-7856 HIGH - 7.2

A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and m...

Vendor: dlink
Product: di-8100_firmware
Published: May 05, 2026
Source: NVD
CVE-2026-44331 HIGH - 8.1

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, ...

Vendor: ProFTPD
Product: ProFTPD
Published: May 05, 2026
Source: NVD