Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,811
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,781 - 15,800 of 38,803 CVEs
CVE-2026-43874 HIGH - 7.2

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the ...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43873 HIGH - 7.5

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on eve...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-42882 CRITICAL - 9.4

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the per...

Vendor: go
Product: github.com/oxyno-zeta/s3-proxy
Published: May 05, 2026
Source: GitHub
CVE-2026-42565 MEDIUM - 4.3

@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round...

Vendor: npm
Product: @workos/authkit-session
Published: May 05, 2026
Source: GitHub

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace was ...

Vendor: go
Product: github.com/external-secrets/external-secrets
Published: May 05, 2026
Source: GitHub

Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection at...

Vendor: pip
Product: microdot
Published: May 05, 2026
Source: GitHub
CVE-2026-42048 CRITICAL - 9.6

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths withou...

Vendor: pip
Product: langflow
Published: May 05, 2026
Source: GitHub
CVE-2026-41417 MEDIUM - 5.3

Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same val...

Vendor: maven
Product: io.netty:netty-codec-http
Published: May 05, 2026
Source: GitHub
CVE-2026-42864 CRITICAL - 9.9

FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL va...

Vendor: pip
Product: firefighter-incident
Published: May 05, 2026
Source: GitHub
CVE-2026-7853 CRITICAL - 9.8

A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This manipulation of the argument enable/time causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made av...

Vendor: dlink
Product: di-8100_firmware
Published: May 05, 2026
Source: NVD
CVE-2026-7851 HIGH - 7.2

A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

Vendor: dlink
Product: di-8100_firmware
Published: May 05, 2026
Source: NVD
CVE-2026-42047 HIGH - 8.6

Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serv...

Vendor: npm
Product: inngest
Published: May 05, 2026
Source: GitHub
CVE-2026-40864 MEDIUM - 5.4

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected...

Vendor: pip
Product: jupyterhub
Published: May 05, 2026
Source: GitHub
CVE-2026-42045 MEDIUM - 6.2

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the de...

Vendor: npm
Product: @lobehub/lobehub
Published: May 05, 2026
Source: GitHub
CVE-2026-42860 HIGH - 8.5

The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with the Enterprise Admin ro...

Vendor: pip
Product: edx-enterprise
Published: May 05, 2026
Source: GitHub

Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and dispatches them directly to the orchestrator's tool registry. The default bind address is 0.0.0.0...

Vendor: npm
Product: network-ai
Published: May 05, 2026
Source: GitHub
CVE-2026-7847 LOW - 2.6

A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently ran...

Published: May 05, 2026
Source: NVD
CVE-2026-43002 MEDIUM - 5.3

An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix.

Vendor: OpenStack
Product: Horizon
Published: May 05, 2026
Source: NVD
CVE-2026-38432 MEDIUM - 6.1

ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied.

Vendor: frappe
Product: erpnext
Published: May 05, 2026
Source: NVD
CVE-2026-38431 CRITICAL - 9.8

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

Vendor: frappe
Product: erpnext
Published: May 05, 2026
Source: NVD