Total CVEs

144,090

Critical Severity

4,134

High Severity

14,909

Last 7 Days

1,603
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 18,201 - 18,220 of 40,495 CVEs
CVE-2026-31694 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks...

Vendor: Linux
Product: Linux
Published: May 01, 2026
Source: NVD
CVE-2026-7581 MEDIUM - 4.3

A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out remotel...

Published: May 01, 2026
Source: NVD
CVE-2026-7580 MEDIUM - 5.3

A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is ...

Published: May 01, 2026
Source: NVD
CVE-2026-7579 HIGH - 7.3

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The ex...

Published: May 01, 2026
Source: NVD
CVE-2026-3772 HIGH - 8.8

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers ...

Published: May 01, 2026
Source: NVD
CVE-2026-3140 MEDIUM - 4.3

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle...

Published: May 01, 2026
Source: NVD
CVE-2026-7578 MEDIUM - 4.7

A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The...

Published: May 01, 2026
Source: NVD
CVE-2026-42779 CRITICAL - 9.8

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the...

Vendor: Apache Software Foundation
Product: Apache MINA
Published: May 01, 2026
Source: NVD
CVE-2026-42778 CRITICAL - 9.8

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a s...

Vendor: Apache Software Foundation
Product: Apache MINA
Published: May 01, 2026
Source: NVD
CVE-2026-42404 MEDIUM - 6.5

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses....

Vendor: Apache Software Foundation
Product: Apache Neethi
Published: May 01, 2026
Source: NVD
CVE-2026-7567 CRITICAL - 9.8

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string b...

Published: May 01, 2026
Source: NVD
CVE-2026-43003 HIGH - 8.0

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Vendor: OpenStack
Product: ironic-python-agent
Published: May 01, 2026
Source: NVD
CVE-2026-43001 HIGH - 7.9

An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential ...

Vendor: OpenStack
Product: Keystone
Published: May 01, 2026
Source: NVD
CVE-2026-42403 HIGH - 7.5

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, le...

Vendor: Apache Software Foundation
Product: Apache Neethi
Published: May 01, 2026
Source: NVD
CVE-2026-42402 HIGH - 7.5

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the...

Vendor: Apache Software Foundation
Product: Apache Neethi
Published: May 01, 2026
Source: NVD
CVE-2026-40201 MEDIUM - 5.4

@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.

Vendor: diplodoc-platform
Product: @diplodoc/search-extension
Published: May 01, 2026
Source: NVD
CVE-2026-7584 HIGH - 7.8

The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target ...

Vendor: zhinst
Product: labone_q
Published: May 01, 2026
Source: NVD

JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of @APRSIS GRID followed by a long Maidenhead locator. This occurs in grid2deg in APRSISClient.cpp.

Vendor: JS8Call, JS8Call-improved
Product: JS8Call, JS8Call-improved
Published: May 01, 2026
Source: NVD
CVE-2026-7555 HIGH - 7.3

A vulnerability was identified in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/login.php. Such manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.

Published: May 01, 2026
Source: NVD
CVE-2026-7554 MEDIUM - 5.6

A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation i...

Vendor: dlink
Product: m60_firmware
Published: May 01, 2026
Source: NVD