CVEs from 2026
Total
14,797
critical
critical 1,335
high
high 5,010
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-27393 | medium | 5.3 | 5.3 | 17d ago | Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6. | |||
| CVE-2026-9124 | medium | 5.3 | 5.3 | 18d ago | Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a craf… | |||
| CVE-2026-2812 | medium | 5.3 | 5.3 | 18d ago | ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the en… | |||
| CVE-2026-4293 | medium | 5.3 | 5.3 | 18d ago | The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the brow… | |||
| CVE-2026-5950 | medium | 5.3 | 5.3 | 18d ago | An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sendin… | |||
| CVE-2026-3592 | medium | 5.3 | 5.3 | 18d ago | BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resou… | |||
| CVE-2026-6728 | medium | 5.3 | 5.3 | 18d ago | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for una… | |||
| CVE-2026-44390 | medium | 5.3 | 5.3 | 18d ago | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses… | |||
| CVE-2026-42923 | medium | 5.3 | 5.3 | 18d ago | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit… | |||
| CVE-2026-42534 | medium | 5.3 | 5.3 | 18d ago | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could ren… | |||
| CVE-2026-32792 | medium | 5.3 | 5.3 | 18d ago | NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbou… | |||
| CVE-2026-42526 | medium | 5.3 | 5.3 | 19d ago | Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends | |||
| CVE-2026-34154 | medium | 5.3 | 5.3 | 19d ago | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain a… | |||
| CVE-2026-46337 | medium | 5.3 | 5.3 | 19d ago | AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` | |||
| CVE-2026-34883 | medium | 5.3 | 5.3 | 19d ago | An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate priv… | |||
| CVE-2026-31388 | medium | 5.3 | 5.3 | 19d ago | Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixe… | |||
| CVE-2026-31387 | medium | 5.3 | 5.3 | 19d ago | Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | |||
| CVE-2026-8814 | medium | 5.3 | 5.3 | 19d ago | ExifReader is vulnerable to denial of service via unbounded decompression of image metadata | |||
| CVE-2026-32994 | medium | 5.3 | 5.3 | 19d ago | The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any… | |||
| CVE-2026-32244 | medium | 5.3 | 5.3 | 20d ago | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unpriv… | |||
| CVE-2026-4893 | medium | 5.3 | 5.3 | 20d ago | RHSA-2026:20589: dnsmasq security update (Important) | |||
| CVE-2026-4891 | medium | 5.3 | 5.3 | 20d ago | RHSA-2026:20589: dnsmasq security update (Important) | |||
| CVE-2026-45554 | medium | 5.3 | 5.3 | 20d ago | NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rathe… | |||
| CVE-2026-45684 | medium | 5.3 | 5.3 | 20d ago | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by readi… | |||
| CVE-2026-36438 | medium | 5.3 | 5.3 | 20d ago | An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | |||
| CVE-2026-45620 | medium | 5.3 | 5.3 | 20d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) … | |||
| CVE-2026-8752 | medium | 5.3 | 5.3 | 21d ago | A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the compon… | |||
| CVE-2026-8739 | medium | 5.3 | 5.3 | 21d ago | A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigC… | |||
| CVE-2026-8737 | medium | 5.3 | 5.3 | 21d ago | A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListD… | |||
| CVE-2026-8723 | medium | 5.3 | 5.3 | 22d ago | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not ha… | |||
| CVE-2026-8681 | medium | 5.3 | 5.3 | 22d ago | The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is auth… | |||
| CVE-2026-44309 | medium | 5.3 | 5.3 | 23d ago | Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's … | |||
| CVE-2026-8454 | medium | 5.3 | 5.3 | 23d ago | Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer G… | |||
| CVE-2026-8612 | medium | 5.3 | 5.3 | 23d ago | WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache… | |||
| CVE-2026-45248 | medium | 5.3 | 5.3 | 24d ago | Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user inform… | |||
| CVE-2026-45397 | medium | 5.3 | 5.3 | 24d ago | Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure | |||
| CVE-2026-8583 | medium | 5.3 | 5.3 | 24d ago | Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive informa… | |||
| CVE-2026-8582 | medium | 5.3 | 5.3 | 24d ago | Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium se… | |||
| CVE-2026-8546 | medium | 5.3 | 5.3 | 24d ago | Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information fr… | |||
| CVE-2026-8543 | medium | 5.3 | 5.3 | 24d ago | Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive infor… | |||
| CVE-2026-8541 | medium | 5.3 | 5.3 | 24d ago | Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory vi… | |||
| CVE-2026-8538 | medium | 5.3 | 5.3 | 24d ago | Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a craf… | |||
| CVE-2026-8535 | medium | 5.3 | 5.3 | 24d ago | Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive informati… | |||
| CVE-2026-8516 | medium | 5.3 | 5.3 | 24d ago | Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentia… | |||
| CVE-2026-24000 | medium | 5.3 | 5.3 | 24d ago | Fleet has a rate limiting bypass via untrusted client IP headers | |||
| CVE-2026-38740 | medium | 5.3 | 5.3 | 24d ago | Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE creden… | |||
| CVE-2026-45292 | medium | 5.3 | 5.3 | 24d ago | opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggag… | |||
| CVE-2026-42593 | medium | 5.3 | 5.3 | 24d ago | Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes | |||
| CVE-2026-42592 | medium | 5.3 | 5.3 | 24d ago | Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes | |||
| CVE-2026-41933 | medium | 5.3 | 5.3 | 24d ago | Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking pro… | |||
| CVE-2026-24711 | medium | 5.3 | 5.3 | 24d ago | Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control. | |||
| CVE-2026-45205 | medium | 5.3 | 5.3 | 24d ago | Apache Commons Configuration: StackOverflowError for YAML input with cycles | |||
| CVE-2026-6206 | medium | 5.3 | 5.3 | 24d ago | The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restri… | |||
| CVE-2026-6145 | medium | 5.3 | 5.3 | 24d ago | The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relyi… | |||
| CVE-2026-44381 | medium | 5.3 | 5.3 | 25d ago | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow … | |||
| CVE-2026-44379 | medium | 5.3 | 5.3 | 25d ago | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or mo… | |||
| CVE-2026-44373 | medium | 5.3 | 5.3 | 25d ago | Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward… | |||
| CVE-2026-33584 | medium | 5.3 | 5.3 | 25d ago | Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Sym… | |||
| CVE-2026-44457 | medium | 5.3 | 5.3 | 25d ago | Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage | |||
| CVE-2026-44431 | medium | 5.3 | 5.3 | 25d ago | urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=Fa… | |||
| CVE-2026-44294 | medium | 5.3 | 5.3 | 25d ago | protobuf.js: Denial of service from crafted field names in generated code | |||
| CVE-2026-44292 | medium | 5.3 | 5.3 | 25d ago | protobuf.js: Prototype injection in generated message constructors | |||
| CVE-2026-44288 | medium | 5.3 | 5.3 | 25d ago | protobufjs has overlong UTF-8 decoding | |||
| CVE-2026-40435 | medium | 5.3 | 5.3 | 25d ago | When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses. Note: Software versions which have reached End of Technical Su… | |||
| CVE-2026-34019 | medium | 5.3 | 5.3 | 25d ago | When Bidirectional Forwarding Detection (BFD) is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to stop processing BFD pack… | |||
| CVE-2026-8463 | medium | 5.3 | 5.3 | 25d ago | Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the… | |||
| CVE-2026-7168 | medium | 5.3 | 5.3 | 25d ago | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reu… | |||
| CVE-2026-7009 | medium | 5.3 | 5.3 | 25d ago | When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and inste… | |||
| CVE-2026-6429 | medium | 5.3 | 5.3 | 25d ago | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. | |||
| CVE-2026-2515 | medium | 5.3 | 5.3 | 25d ago | The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' fu… | |||
| CVE-2026-6965 | medium | 5.3 | 5.3 | 25d ago | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by… | |||
| CVE-2026-8200 | medium | 5.3 | 5.3 | 25d ago | When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. This is… | |||
| CVE-2026-44341 | medium | 5.3 | 5.3 | 26d ago | GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. Th… | |||
| CVE-2026-34654 | medium | 5.3 | 5.3 | 26d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result i… | |||
| CVE-2026-23822 | medium | 5.3 | 5.3 | 26d ago | A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an at… | |||
| CVE-2026-42177 | medium | 5.3 | 5.3 | 26d ago | linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter i… | |||
| CVE-2026-31245 | medium | 5.3 | 5.3 | 26d ago | mem0 server lacks authentication and authorization controls for its memory creation API endpoint | |||
| CVE-2026-25431 | medium | 5.3 | 5.3 | 26d ago | Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hustle: through 7.8.10.1. | |||
| CVE-2026-33603 | medium | 5.3 | 5.3 | 26d ago | Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the c… | |||
| CVE-2026-45215 | medium | 5.3 | 5.3 | 26d ago | Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0. | |||
| CVE-2026-45212 | medium | 5.3 | 5.3 | 26d ago | Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset … | |||
| CVE-2026-7626 | medium | 5.3 | 5.3 | 26d ago | The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_… | |||
| CVE-2026-6708 | medium | 5.3 | 5.3 | 26d ago | The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability che… | |||
| CVE-2026-5693 | medium | 5.3 | 5.3 | 26d ago | The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking(… | |||
| CVE-2026-8319 | medium | 5.3 | 5.3 | 27d ago | aiwaves-cn agents is vulnerable to resource consumption in the recall_relevant_memories_to_working_memory function | |||
| CVE-2026-6146 | medium | 5.3 | 5.3 | 27d ago | Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data d… | |||
| CVE-2026-41159 | medium | 5.3 | 5.3 | 27d ago | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies… | |||
| CVE-2026-41150 | medium | 5.3 | 5.3 | 27d ago | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, i… | |||
| CVE-2026-8318 | medium | 5.3 | 5.3 | 27d ago | A security flaw has been discovered in VectifyAI PageIndex up to f50e52975313c6716c02b20a119577a1929decba. Affected by this vulnerability is the function toc_transformer of the file pageindex/page_in… | |||
| CVE-2026-45002 | medium | 5.3 | 5.3 | 27d ago | OpenClaw: Hook mapping templates could bypass hook session-key opt-in | |||
| CVE-2026-44999 | medium | 5.3 | 5.3 | 27d ago | OpenClaw: Isolated cron awareness events were recorded as trusted system events | |||
| CVE-2026-44994 | medium | 5.3 | 5.3 | 27d ago | OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Att… | |||
| CVE-2026-44226 | medium | 5.3 | 5.3 | 27d ago | PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI | |||
| CVE-2026-34093 | medium | 5.3 | 5.3 | 27d ago | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Specials/SpecialUserRights.P… | |||
| CVE-2026-44201 | medium | 5.3 | 5.3 | 27d ago | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access t… | |||
| CVE-2026-1677 | medium | 5.3 | 5.3 | 27d ago | Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to … | |||
| CVE-2026-8274 | medium | 5.3 | 5.3 | 27d ago | A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads t… | |||
| CVE-2026-8258 | medium | 5.3 | 5.3 | 27d ago | A flaw has been found in Squirrel up to 3.2. Impacted is the function validate_format in the library sqstdlib/sqstdstring.cpp. Executing a manipulation can lead to stack-based buffer overflow. The at… | |||
| CVE-2026-28994 | medium | 5.3 | 5.3 | 28d ago | watchOS 26.5 | |||
| CVE-2026-45179 | medium | 5.3 | 5.3 | 28d ago | Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host o… |