Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,917
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,081 - 16,100 of 38,923 CVEs
CVE-2026-42569 CRITICAL - 9.4

phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

Vendor: composer
Product: nabeel/phpvms
Published: May 04, 2026
Source: GitHub
CVE-2026-42606 HIGH - 8.1

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to an...

Vendor: composer
Product: azuracast/azuracast
Published: May 04, 2026
Source: GitHub
CVE-2026-42605 HIGH - 8.8

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem s...

Vendor: composer
Product: azuracast/azuracast
Published: May 04, 2026
Source: GitHub
CVE-2026-7779 MEDIUM - 4.3

A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation o...

Published: May 04, 2026
Source: NVD
CVE-2026-42238 CRITICAL - 9.8

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upl...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42223 MEDIUM - 6.5

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however,...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42222 HIGH - 8.1

Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42221 HIGH - 8.1

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD
CVE-2026-42220 MEDIUM - 6.5

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret ...

Vendor: 0xJacky
Product: nginx-ui
Published: May 04, 2026
Source: NVD

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A securi...

Vendor: maven
Product: io.quarkiverse.openapi.generator:quarkus-openapi-generator
Published: May 04, 2026
Source: GitHub
CVE-2026-41901 CRITICAL - 9.0

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expression...

Vendor: maven
Product: org.thymeleaf:thymeleaf
Published: May 04, 2026
Source: GitHub
CVE-2026-41895 HIGH - 7.5

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed enti...

Vendor: pip
Product: changedetection.io
Published: May 04, 2026
Source: GitHub
CVE-2026-41893 HIGH - 7.5

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSo...

Vendor: npm
Product: signalk-server
Published: May 04, 2026
Source: GitHub

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0....

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: May 04, 2026
Source: GitHub

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are pas...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: May 04, 2026
Source: GitHub
CVE-2026-41888 MEDIUM - 6.5

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the ...

Vendor: go
Product: github.com/distribution/distribution/v3
Published: May 04, 2026
Source: GitHub
CVE-2026-42311 HIGH - 7.8

Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-42310 MEDIUM - 5.5

Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-42308 MEDIUM - 5.5

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub
CVE-2026-42309 MEDIUM - 5.5

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively ...

Vendor: pip
Product: pillow
Published: May 04, 2026
Source: GitHub