Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,881
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,761 - 15,780 of 38,670 CVEs
CVE-2026-6322 HIGH - 7.5

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator,...

Vendor: npm
Product: fast-uri
Published: May 05, 2026
Source: NVD
CVE-2025-42611 MEDIUM - 6.5

RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses ...

Vendor: Mikrotik
Product: RouterOS
Published: May 05, 2026
Source: NVD
CVE-2026-43870 HIGH - 7.3

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue af...

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD
CVE-2026-43868 MEDIUM - 5.3

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD
CVE-2026-3601 MEDIUM - 4.3

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-lev...

Published: May 05, 2026
Source: NVD
CVE-2026-3359 HIGH - 7.5

The Form Maker by 10Web โ€“ Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara...

Published: May 05, 2026
Source: NVD
CVE-2026-43869 HIGH - 7.3

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD

An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive...

Published: May 05, 2026
Source: NVD
CVE-2026-6418 MEDIUM - 4.9

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with ad...

Vendor: papercut
Product: papercut_mf
Published: May 05, 2026
Source: NVD
CVE-2026-6180 HIGH - 8.1

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification f...

Vendor: papercut
Product: papercut_mf
Published: May 05, 2026
Source: NVD
CVE-2026-5192 HIGH - 7.5

The Forminator Forms โ€“ Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents...

Published: May 05, 2026
Source: NVD
CVE-2026-40797 CRITICAL - 9.3

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253.

Vendor: Saleswonder LLC
Product: WebinarIgnition
Published: May 05, 2026
Source: NVD
CVE-2026-3454 MEDIUM - 6.5

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that th...

Published: May 05, 2026
Source: NVD
CVE-2026-2729 MEDIUM - 5.3

The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public pay...

Published: May 05, 2026
Source: NVD
CVE-2026-7823 CRITICAL - 9.8

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the p...

Published: May 05, 2026
Source: NVD
CVE-2026-7822 MEDIUM - 6.3

A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

Published: May 05, 2026
Source: NVD
CVE-2026-7812 HIGH - 7.3

A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack c...

Published: May 05, 2026
Source: NVD
CVE-2026-7811 HIGH - 7.3

A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack rem...

Published: May 05, 2026
Source: NVD
CVE-2026-4362 MEDIUM - 6.5

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `...

Published: May 05, 2026
Source: NVD
CVE-2026-7810 HIGH - 7.3

A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit ...

Published: May 05, 2026
Source: NVD