Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,313
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,261 - 17,280 of 42,148 CVEs
CVE-2026-0502 MEDIUM - 5.4

Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality ...

Published: May 12, 2026
Source: NVD
CVE-2026-45393 CRITICAL - 9.8

Reserved. Details will be published at disclosure.

Vendor: Cribl
Product: Cribl Edge
Published: May 12, 2026
Source: NVD
CVE-2026-45392 CRITICAL - 9.8

Reserved. Details will be published at disclosure.

Vendor: Cribl
Product: Cribl Stream
Published: May 12, 2026
Source: NVD
CVE-2026-45391 CRITICAL - 9.8

Reserved. Details will be published at disclosure.

Vendor: Cribl
Product: Cribl Edge
Published: May 12, 2026
Source: NVD

Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

Vendor: Sangoma
Product: Switchvox
Published: May 12, 2026
Source: NVD
CVE-2026-45321 CRITICAL - 9.6

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself wa...

Vendor: npm
Product: @tanstack/arktype-adapter
Published: May 12, 2026
Source: NVD
CVE-2026-8349 MEDIUM - 4.3

A flaw has been found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGAP Message Handler. Executing a manipulation can lead to memory corruption. The attack can be launched remotely. The exploit has been published and may be used. This patch is called 8a4c...

Published: May 12, 2026
Source: NVD
CVE-2026-8346 MEDIUM - 6.3

A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command injection. The attack can be initiated remotely. The exploit is now public and may be used.

Vendor: dlink
Product: dir-816_firmware
Published: May 12, 2026
Source: NVD
CVE-2026-8345 MEDIUM - 6.3

A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such manipulation of the argument ip_address leads to command injection. It is possible to launch the attack remotely. The exp...

Vendor: dlink
Product: dir-816_firmware
Published: May 11, 2026
Source: NVD
CVE-2026-43914 HIGH - 7.3

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoi...

Vendor: dani-garcia
Product: vaultwarden
Published: May 11, 2026
Source: NVD
CVE-2026-43913 HIGH - 8.1

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a...

Vendor: dani-garcia
Product: vaultwarden
Published: May 11, 2026
Source: NVD
CVE-2026-43912 HIGH - 8.7

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as co...

Vendor: dani-garcia
Product: vaultwarden
Published: May 11, 2026
Source: NVD
CVE-2026-43911 MEDIUM - 6.8

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access ...

Vendor: dani-garcia
Product: vaultwarden
Published: May 11, 2026
Source: NVD
CVE-2026-43900 CRITICAL - 9.3

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer (s...

Vendor: ThinkInAIXYZ
Product: deepchat
Published: May 11, 2026
Source: NVD
CVE-2026-43899 CRITICAL - 9.6

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass (RCE). While the patch correctly restricted api.openExter...

Vendor: ThinkInAIXYZ
Product: deepchat
Published: May 11, 2026
Source: NVD
CVE-2026-34963 HIGH - 8.4

barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section load...

Vendor: barebox
Product: barebox
Published: May 11, 2026
Source: NVD
CVE-2026-34962 MEDIUM - 6.2

barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a cr...

Vendor: barebox
Product: barebox
Published: May 11, 2026
Source: NVD
CVE-2026-8344 MEDIUM - 6.3

A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this vulnerability is the function sub_445E7C of the file /goform/formDMZ.cgi. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the p...

Vendor: dlink
Product: dir-816_firmware
Published: May 11, 2026
Source: NVD
CVE-2026-7010 MEDIUM - 6.5

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one...

Published: May 11, 2026
Source: NVD
CVE-2026-44695 MEDIUM - 5.8

Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in...

Vendor: outline
Product: outline
Published: May 11, 2026
Source: NVD