Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10192
Total
692
Critical
2939
High
3205
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-44588 | UNKNOWN | — | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through … | May 14, 2026 |
| CVE-2026-44586 | HIGH | 8.3 | SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage … | May 14, 2026 |
| CVE-2026-44523 | CRITICAL | 10.0 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts … | May 14, 2026 |
| CVE-2026-44522 | UNKNOWN | — | Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via … | May 14, 2026 |
| CVE-2026-41315 | UNKNOWN | — | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication … | May 14, 2026 |
| CVE-2026-38740 | MEDIUM | 5.3 | Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials … | May 14, 2026 |
| CVE-2026-27886 | UNKNOWN | — | Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when … | May 14, 2026 |
| CVE-2026-27680 | LOW | 3.1 | Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into … | May 14, 2026 |
| CVE-2026-23998 | UNKNOWN | — | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed … | May 14, 2026 |
| CVE-2026-22707 | UNKNOWN | — | Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the … | May 14, 2026 |
| CVE-2026-22706 | UNKNOWN | — | Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the … | May 14, 2026 |
| CVE-2026-22599 | UNKNOWN | — | Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.x branch prior to … | May 14, 2026 |
| CVE-2025-64526 | UNKNOWN | — | Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit … | May 14, 2026 |
| CVE-2026-6332 | UNKNOWN | — | CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code … | May 14, 2026 |
| CVE-2026-46470 | MEDIUM | 4.0 | An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data … | May 14, 2026 |
| CVE-2026-46469 | MEDIUM | 4.0 | An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data … | May 14, 2026 |
| CVE-2026-44544 | UNKNOWN | — | gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the … | May 14, 2026 |
| CVE-2026-44542 | CRITICAL | 9.1 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior … | May 14, 2026 |
| CVE-2026-44520 | MEDIUM | 5.7 | Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py … | May 14, 2026 |
| CVE-2026-44283 | NONE | — | etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read … | May 14, 2026 |
| CVE-2026-42897 | HIGH | 8.1 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | May 14, 2026 |
| CVE-2026-42598 | UNKNOWN | — | Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from … | May 14, 2026 |
| CVE-2026-42572 | MEDIUM | 5.3 | Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET … | May 14, 2026 |
| CVE-2026-42334 | HIGH | 7.5 | Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing … | May 14, 2026 |
| CVE-2026-41888 | UNKNOWN | — | Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: … | May 14, 2026 |