Total CVEs

144,202

Critical Severity

4,148

High Severity

14,963

Last 7 Days

1,649
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,481 - 17,500 of 40,607 CVEs
CVE-2026-5753 MEDIUM - 6.5

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabi...

Published: May 06, 2026
Source: NVD
CVE-2026-3208 MEDIUM - 5.3

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to...

Published: May 06, 2026
Source: NVD
CVE-2026-7573 MEDIUM - 5.0

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org para...

Published: May 06, 2026
Source: NVD
CVE-2026-7572 MEDIUM - 4.4

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx V...

Published: May 06, 2026
Source: NVD
CVE-2025-71256 HIGH - 7.5

In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71255 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71254 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71253 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71252 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71251 HIGH - 7.5

In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Vendor: Paramiko
Product: Paramiko
Published: May 06, 2026
Source: NVD
CVE-2026-44221 CRITICAL - 9.0

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninit...

Vendor: maven
Product: com.arcadedb:arcadedb-server
Published: May 05, 2026
Source: GitHub
CVE-2026-44222 MEDIUM - 6.5

vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLMโ€™s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequ...

Vendor: pip
Product: vllm
Published: May 05, 2026
Source: GitHub

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an up...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub

ciguard is a static security auditor for CI/CD pipelines. From 0.8.0 to 0.8.1 , the discover_pipeline_files() function in src/ciguard/discovery.py walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory ...

Vendor: pip
Product: ciguard
Published: May 05, 2026
Source: GitHub

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2.

Vendor: pip
Product: ciguard
Published: May 05, 2026
Source: GitHub
CVE-2026-44219 MEDIUM - 3.7

ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endo...

Vendor: pip
Product: ciguard
Published: May 05, 2026
Source: GitHub

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the ...

Vendor: npm
Product: sse-channel
Published: May 05, 2026
Source: GitHub
CVE-2026-43884 HIGH - 7.7

WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's aut...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub
CVE-2026-43883 MEDIUM - 4.2

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authentica...

Vendor: composer
Product: wwbn/avideo
Published: May 05, 2026
Source: GitHub