CVEs from 2026
Total
14,792
critical
critical 1,335
high
high 5,008
medium
medium 4,832
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40989 | medium | 6.5 | 6.5 | 6d ago | Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Functio… | |||
| CVE-2026-23638 | medium | 6.5 | 6.5 | 6d ago | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper w… | |||
| CVE-2026-45267 | medium | 6.5 | 6.5 | 6d ago | Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been p… | |||
| CVE-2026-42679 | medium | 6.5 | 6.5 | 6d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal. This issue affects Classified Listing: from n… | |||
| CVE-2026-42676 | medium | 6.5 | 6.5 | 6d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS. This issue affects myCred: from n/a through 3.0.4. | |||
| CVE-2026-42671 | medium | 6.5 | 6.5 | 6d ago | Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GeoDirectory: from n/a through 2.8.157. | |||
| CVE-2026-10272 | medium | 6.5 | 6.5 | 6d ago | A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such man… | |||
| CVE-2026-48726 | medium | 6.5 | 6.5 | 6d ago | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` … | |||
| CVE-2026-42360 | medium | 6.5 | 6.5 | 6d ago | A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be by… | |||
| CVE-2026-42358 | medium | 6.5 | 6.5 | 6d ago | A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON valu… | |||
| CVE-2026-40861 | medium | 6.5 | 6.5 | 6d ago | A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg… | |||
| CVE-2026-45192 | medium | 6.5 | 6.5 | 6d ago | A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connect… | |||
| CVE-2026-48208 | medium | 6.5 | 6.5 | 6d ago | An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to… | |||
| CVE-2026-10190 | medium | 6.5 | 6.5 | 7d ago | A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the arg… | |||
| CVE-2026-49386 | medium | 6.5 | 6.5 | 9d ago | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | |||
| CVE-2026-49385 | medium | 6.5 | 6.5 | 9d ago | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | |||
| CVE-2026-49379 | medium | 6.5 | 6.5 | 9d ago | In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names | |||
| CVE-2026-49376 | medium | 6.5 | 6.5 | 9d ago | In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | |||
| CVE-2026-47745 | medium | 6.5 | 6.5 | 9d ago | Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables | |||
| CVE-2026-47742 | medium | 6.5 | 6.5 | 9d ago | Shopper: Missing authorization on Product admin Livewire sub-form components | |||
| CVE-2026-39229 | medium | 6.5 | 6.5 | 9d ago | Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective comp… | |||
| CVE-2026-35673 | medium | 6.5 | 6.5 | 9d ago | OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can byp… | |||
| CVE-2026-9493 | medium | 6.5 | 6.5 | 9d ago | Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query fun… | |||
| CVE-2026-9996 | medium | 6.5 | 6.5 | 9d ago | Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromi… | |||
| CVE-2026-9981 | medium | 6.5 | 6.5 | 9d ago | Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chrom… | |||
| CVE-2026-9953 | medium | 6.5 | 6.5 | 9d ago | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secur… | |||
| CVE-2026-9917 | medium | 6.5 | 6.5 | 9d ago | Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chro… | |||
| CVE-2026-9912 | medium | 6.5 | 6.5 | 9d ago | Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML pa… | |||
| CVE-2026-9908 | medium | 6.5 | 6.5 | 9d ago | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secur… | |||
| CVE-2026-9882 | medium | 6.5 | 6.5 | 9d ago | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical) | |||
| CVE-2026-10018 | medium | 6.5 | 6.5 | 9d ago | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-10008 | medium | 6.5 | 6.5 | 9d ago | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromi… | |||
| CVE-2026-10004 | medium | 6.5 | 6.5 | 9d ago | Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity:… | |||
| CVE-2026-33464 | medium | 6.5 | 6.5 | 9d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially … | |||
| CVE-2026-49094 | medium | 6.5 | 6.5 | 9d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containin… | |||
| CVE-2026-49095 | medium | 6.5 | 6.5 | 9d ago | Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent po… | |||
| CVE-2026-42399 | medium | 6.5 | 6.5 | 9d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentiall… | |||
| CVE-2026-42400 | medium | 6.5 | 6.5 | 9d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload… | |||
| CVE-2026-47673 | medium | 6.5 | 6.5 | 10d ago | Hono: JWT middleware accepts any Authorization scheme, not only Bearer | |||
| CVE-2026-41185 | medium | 6.5 | 6.5 | 10d ago | When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, t… | |||
| CVE-2026-41184 | medium | 6.5 | 6.5 | 10d ago | In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico d… | |||
| CVE-2026-41141 | medium | 6.5 | 6.5 | 10d ago | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning e… | |||
| CVE-2026-7048 | medium | 6.5 | 6.5 | 10d ago | The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.… | |||
| CVE-2026-3173 | medium | 6.5 | 6.5 | 10d ago | The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary … | |||
| CVE-2026-9796 | medium | 6.5 | 6.5 | 10d ago | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This… | |||
| CVE-2026-9792 | medium | 6.5 | 6.5 | 10d ago | A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-… | |||
| CVE-2026-5737 | medium | 6.5 | 6.5 | 10d ago | The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/searc… | |||
| CVE-2026-47273 | medium | 6.5 | 6.5 | 10d ago | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and dev… | |||
| CVE-2026-1402 | medium | 6.5 | 6.5 | 11d ago | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authen… | |||
| CVE-2026-45081 | medium | 6.5 | 6.5 | 11d ago | Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This… | |||
| CVE-2026-48147 | medium | 6.5 | 6.5 | 11d ago | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanc… | |||
| CVE-2026-45719 | medium | 6.5 | 6.5 | 11d ago | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API | |||
| CVE-2026-44317 | medium | 6.5 | 6.5 | 11d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose as… | |||
| CVE-2026-44324 | medium | 6.5 | 6.5 | 11d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions han… | |||
| CVE-2026-44353 | medium | 6.5 | 6.5 | 11d ago | Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries an… | |||
| CVE-2026-49044 | medium | 6.5 | 6.5 | 11d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Ad… | |||
| CVE-2026-47118 | medium | 6.5 | 6.5 | 11d ago | Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, whi… | |||
| CVE-2026-9035 | medium | 6.5 | 6.5 | 11d ago | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affecte… | |||
| CVE-2026-8405 | medium | 6.5 | 6.5 | 11d ago | IBM Guardium Data Protection 12.2.1, and 12.2.2 's add-on feature of Guardium Data Protection named "Long Term Retention" (LTR) can expose sensitive credentials in debug mode. | |||
| CVE-2026-6936 | medium | 6.5 | 6.5 | 11d ago | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit th… | |||
| CVE-2026-3676 | medium | 6.5 | 6.5 | 11d ago | IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of se… | |||
| CVE-2026-1933 | medium | 6.5 | 6.5 | 11d ago | A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem wri… | |||
| CVE-2026-2340 | medium | 6.5 | 6.5 | 11d ago | A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to i… | |||
| CVE-2026-42751 | medium | 6.5 | 6.5 | 11d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: f… | |||
| CVE-2026-42750 | medium | 6.5 | 6.5 | 11d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <… | |||
| CVE-2026-42744 | medium | 6.5 | 6.5 | 11d ago | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a … | |||
| CVE-2026-42732 | medium | 6.5 | 6.5 | 11d ago | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a thr… | |||
| CVE-2026-42725 | medium | 6.5 | 6.5 | 11d ago | Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Contr… | |||
| CVE-2026-42726 | medium | 6.5 | 6.5 | 11d ago | Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects … | |||
| CVE-2026-48968 | medium | 6.5 | 6.5 | 11d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.… | |||
| CVE-2026-48877 | medium | 6.5 | 6.5 | 11d ago | Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0. | |||
| CVE-2026-40849 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. … | |||
| CVE-2026-40848 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can resul… | |||
| CVE-2026-40847 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This ca… | |||
| CVE-2026-40846 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can re… | |||
| CVE-2026-40845 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT comma… | |||
| CVE-2026-40844 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can… | |||
| CVE-2026-40843 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can … | |||
| CVE-2026-40842 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. … | |||
| CVE-2026-40841 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command.… | |||
| CVE-2026-40840 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT co… | |||
| CVE-2026-40839 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT co… | |||
| CVE-2026-40838 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT comma… | |||
| CVE-2026-40837 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT comm… | |||
| CVE-2026-40835 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT comm… | |||
| CVE-2026-40832 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command… | |||
| CVE-2026-40831 | medium | 6.5 | 6.5 | 11d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can resu… | |||
| CVE-2026-3279 | medium | 6.5 | 6.5 | 11d ago | The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions… | |||
| CVE-2026-44596 | medium | — | 6.5 | 11d ago | Yamcs has No Rate Limiting on Authentication Endpoint | |||
| CVE-2026-44595 | medium | — | 6.5 | 11d ago | Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints | |||
| CVE-2026-38930 | medium | 6.5 | 6.5 | 11d ago | OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the … | |||
| CVE-2026-8961 | medium | 6.5 | 6.5 | 11d ago | Important: thunderbird security update | |||
| CVE-2026-8388 | medium | 6.5 | 6.5 | 11d ago | Important: thunderbird security update | |||
| CVE-2026-42568 | medium | — | 6.5 | 11d ago | Yamcs Vulnerable to LDAP Injection in LdapAuthModule | |||
| CVE-2026-9603 | medium | 6.5 | 6.5 | 11d ago | A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument I… | |||
| CVE-2026-48710 | medium | 6.5 | 6.5 | 11d ago | Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks | |||
| CVE-2026-44213 | medium | 6.5 | 6.5 | 11d ago | The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sendi… | |||
| CVE-2026-44788 | medium | 6.5 | 6.5 | 11d ago | SharpCompress is a fully managed C# library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory() allows a malicious ar… | |||
| CVE-2026-47672 | medium | 6.5 | 6.5 | 11d ago | epa4all-client: Unauthenticated REST API for Patient Record Writes | |||
| CVE-2026-44836 | medium | 6.5 | 6.5 | 11d ago | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls… |