Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,712
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 15,961 - 15,980 of 38,432 CVEs
CVE-2026-7585 MEDIUM - 4.3

A vulnerability was determined in Open5GS up to 2.7.7. The impacted element is the function amf_nudm_sdm_handle_provisioned of the file /src/amf/nudm-handler.c of the component AMF. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been publ...

Vendor: open5gs
Product: open5gs
Published: May 01, 2026
Source: NVD
CVE-2026-42481 MEDIUM - 5.5

Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabilities in its IGES and STEP file parsers that can be triggered by crafted IGES or STEP files. These issues include an out-of-bounds read in Geom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, an out-of-bounds read in...

Published: May 01, 2026
Source: NVD
CVE-2026-42480 MEDIUM - 5.5

A stack-based out-of-bounds read vulnerability in VrmlData_Scene::ReadLine in the VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because the quoted-string escape handler uses ptr[++anOffset] without pro...

Published: May 01, 2026
Source: NVD
CVE-2026-42475 MEDIUM - 6.5

SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `on` array to the joinOn function in BuildHelper.php.

Published: May 01, 2026
Source: NVD
CVE-2026-42474 MEDIUM - 6.5

SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `data` array to the data function in BuildHelper.php.

Published: May 01, 2026
Source: NVD
CVE-2026-42473 CRITICAL - 9.8

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the FileHandler object.

Published: May 01, 2026
Source: NVD
CVE-2026-42472 CRITICAL - 9.8

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandler object.

Published: May 01, 2026
Source: NVD
CVE-2026-42471 HIGH - 8.1

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

Published: May 01, 2026
Source: NVD
CVE-2026-37554 HIGH - 7.5

An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not proper...

Published: May 01, 2026
Source: NVD
CVE-2026-37552 HIGH - 8.4

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on...

Published: May 01, 2026
Source: NVD
CVE-2026-37505 MEDIUM - 4.9

SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column including password, rem...

Published: May 01, 2026
Source: NVD
CVE-2026-37504 MEDIUM - 5.3

Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be rec...

Published: May 01, 2026
Source: NVD
CVE-2026-37503 MEDIUM - 6.9

Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling c...

Published: May 01, 2026
Source: NVD
CVE-2026-23866 MEDIUM - 4.3

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering O...

Vendor: Facebook
Product: WhatsApp for Android, WhatsApp for iOS
Published: May 01, 2026
Source: NVD
CVE-2026-23863 MEDIUM - 6.5

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exp...

Vendor: Facebook
Product: WhatsApp Desktop for Windows
Published: May 01, 2026
Source: NVD
CVE-2026-22167 HIGH - 7.8

Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel an...

Vendor: Imagination Technologies
Product: Graphics DDK
Published: May 01, 2026
Source: NVD
CVE-2026-22166 CRITICAL - 9.6

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the syst...

Vendor: Imagination Technologies
Product: Graphics DDK
Published: May 01, 2026
Source: NVD
CVE-2026-22165 HIGH - 8.1

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the devi...

Vendor: Imagination Technologies
Product: Graphics DDK
Published: May 01, 2026
Source: NVD
CVE-2026-7583 MEDIUM - 4.3

A flaw has been found in Open5GS up to 2.7.7. This issue affects the function bsf_sess_find_by_ipv6prefix of the file /src/bsf/context.c of the component BSF. This manipulation of the argument ipv6Prefix causes denial of service. It is possible to initiate the attack remotely. The exploit has been p...

Published: May 01, 2026
Source: NVD
CVE-2026-43507 HIGH - 7.5

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections.

Vendor: prosody
Product: prosody
Published: May 01, 2026
Source: NVD