Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,541
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,021 - 17,040 of 40,154 CVEs
CVE-2026-6344 MEDIUM - 4.9

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without ve...

Published: May 06, 2026
Source: NVD
CVE-2026-35254 MEDIUM - 6.1

Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracl...

Vendor: Oracle Corporation
Product: Oracle OCI CLI of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD
CVE-2026-35253 MEDIUM - 4.7

Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerabili...

Vendor: Oracle Corporation
Product: Oracle Macaron Tool of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript woul...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD
CVE-2026-2306 MEDIUM - 4.3

The Ninja Tables โ€“ Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subs...

Published: May 06, 2026
Source: NVD
CVE-2026-5753 MEDIUM - 6.5

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabi...

Published: May 06, 2026
Source: NVD
CVE-2026-3208 MEDIUM - 5.3

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to...

Published: May 06, 2026
Source: NVD
CVE-2026-7573 MEDIUM - 5.0

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org para...

Published: May 06, 2026
Source: NVD
CVE-2026-7572 MEDIUM - 4.4

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx V...

Published: May 06, 2026
Source: NVD
CVE-2025-71256 HIGH - 7.5

In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71255 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71254 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71253 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71252 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71251 HIGH - 7.5

In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Vendor: Paramiko
Product: Paramiko
Published: May 06, 2026
Source: NVD
CVE-2026-44221 CRITICAL - 9.0

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninit...

Vendor: maven
Product: com.arcadedb:arcadedb-server
Published: May 05, 2026
Source: GitHub
CVE-2026-44222 MEDIUM - 6.5

vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLMโ€™s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequ...

Vendor: pip
Product: vllm
Published: May 05, 2026
Source: GitHub