Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,261
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 15,981 - 16,000 of 39,637 CVEs
CVE-2026-44479 MEDIUM - 5.5

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the us...

Vendor: npm
Product: vercel
Published: May 07, 2026
Source: GitHub
CVE-2026-44264 MEDIUM - 4.3

Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.

Vendor: pip
Product: weblate
Published: May 07, 2026
Source: GitHub
CVE-2026-44263 MEDIUM - 4.3

Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.

Vendor: pip
Product: weblate
Published: May 07, 2026
Source: GitHub
CVE-2026-44471 HIGH - 7.8

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries are...

Vendor: rust
Product: gix-fs
Published: May 07, 2026
Source: GitHub
CVE-2026-44456 MEDIUM - 6.5

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. T...

Vendor: npm
Product: hono
Published: May 06, 2026
Source: GitHub
CVE-2026-44455 MEDIUM - 4.7

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the prog...

Vendor: npm
Product: hono
Published: May 06, 2026
Source: GitHub

PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location....

Vendor: pip
Product: PlaywrightCapture
Published: May 06, 2026
Source: GitHub

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account...

Vendor: npm
Product: @angular/ssr
Published: May 06, 2026
Source: GitHub
CVE-2026-44425 MEDIUM - 5.4

ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the data...

Vendor: go
Product: github.com/shellhub-io/shellhub
Published: May 06, 2026
Source: GitHub
CVE-2026-44423 MEDIUM - 6.5

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated ...

Vendor: go
Product: github.com/shellhub-io/shellhub
Published: May 06, 2026
Source: GitHub
CVE-2026-44424 MEDIUM - 6.5

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a devic...

Vendor: go
Product: github.com/shellhub-io/shellhub
Published: May 06, 2026
Source: GitHub

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: May 06, 2026
Source: NVD
CVE-2026-42577 HIGH - 7.5

Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 1...

Vendor: maven
Product: io.netty:netty-transport-native-epoll
Published: May 06, 2026
Source: GitHub
CVE-2026-44375 HIGH - 7.5

Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reade...

Vendor: nuget
Product: Nerdbank.MessagePack
Published: May 06, 2026
Source: GitHub
CVE-2026-44374 MEDIUM - 4.3

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of o...

Vendor: npm
Product: @backstage/plugin-catalog-unprocessed-entities-common
Published: May 06, 2026
Source: GitHub

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions (`md`, `y...

Vendor: composer
Product: getgrav/grav-plugin-form
Published: May 06, 2026
Source: GitHub

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

Vendor: npm
Product: nitro
Published: May 06, 2026
Source: GitHub
CVE-2026-44373 MEDIUM - 5.3

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in 3....

Vendor: npm
Product: nitro
Published: May 06, 2026
Source: GitHub

PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secre...

Vendor: pip
Product: pyquorum
Published: May 06, 2026
Source: GitHub
CVE-2026-42602 HIGH - 8.1

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTele...

Vendor: go
Product: github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension
Published: May 06, 2026
Source: GitHub