CVEs from 2026
Total
13,466
critical
critical 1,177
high
high 4,294
medium
medium 4,167
low
low 443
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 417
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2536 | medium | 6.3 | 6.3 | 4mo ago | A vulnerability was determined in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. … | |||
| CVE-2026-2074 | medium | 6.3 | 6.3 | 4mo ago | A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation le… | |||
| CVE-2026-1977 | medium | 6.3 | 6.3 | 4mo ago | A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component v… | |||
| CVE-2026-1623 | medium | 6.3 | 6.3 | 4mo ago | A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injecti… | |||
| CVE-2026-1601 | medium | 6.3 | 6.3 | 4mo ago | A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileNam… | |||
| CVE-2026-1218 | medium | 6.3 | 6.3 | 4mo ago | A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Perform… | |||
| CVE-2026-1126 | medium | 6.3 | 6.3 | 4mo ago | A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\… | |||
| CVE-2026-0843 | medium | 6.3 | 6.3 | 5mo ago | A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Suc… | |||
| CVE-2026-0842 | medium | 6.3 | 6.3 | 5mo ago | A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The a… | |||
| CVE-2026-42328 | medium | 6.2 | 6.2 | 4d ago | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on … | |||
| CVE-2026-23679 | medium | 6.2 | 6.2 | 4d ago | libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface cla… | |||
| CVE-2026-2237 | medium | 6.2 | 6.2 | 5d ago | A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive informatio… | |||
| CVE-2026-48696 | medium | 6.2 | 6.2 | 6d ago | FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689. | |||
| CVE-2026-42627 | medium | 6.2 | 6.2 | 9d ago | In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn/Tensor.cpp allows a crafted TFLite model file to bypass buffer size validation and trigger a heap-based … | |||
| CVE-2026-36189 | medium | 6.2 | 6.2 | 10d ago | Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial… | |||
| CVE-2026-38719 | medium | 6.2 | 6.2 | 13d ago | OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A c… | |||
| CVE-2026-41969 | medium | 6.2 | 6.2 | 17d ago | Permission control vulnerability in the projection module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||
| CVE-2026-34688 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit … | |||
| CVE-2026-34680 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exp… | |||
| CVE-2026-34679 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit … | |||
| CVE-2026-34678 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could explo… | |||
| CVE-2026-34677 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could explo… | |||
| CVE-2026-34673 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could explo… | |||
| CVE-2026-34672 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker c… | |||
| CVE-2026-34671 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exp… | |||
| CVE-2026-34670 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit … | |||
| CVE-2026-34669 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit … | |||
| CVE-2026-34668 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit … | |||
| CVE-2026-34667 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker c… | |||
| CVE-2026-34666 | medium | 6.2 | 6.2 | 19d ago | CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit … | |||
| CVE-2026-42045 | medium | 6.2 | 6.2 | 19d ago | LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution | |||
| CVE-2026-41614 | medium | 6.2 | 6.2 | 19d ago | <p>Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.</p> | |||
| CVE-2026-40380 | medium | 6.2 | 6.2 | 19d ago | <p>Heap-based buffer overflow in Volume Manager Extension Driver allows an authorized attacker to execute code with a physical attack.</p> | |||
| CVE-2026-28950 | medium | 6.2 | 6.2 | 21d ago | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26… | |||
| CVE-2026-43666 | medium | 6.2 | 6.2 | 21d ago | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, mac… | |||
| CVE-2026-28985 | medium | 6.2 | 6.2 | 21d ago | A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to … | |||
| CVE-2026-28897 | medium | 6.2 | 6.2 | 21d ago | A buffer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 2… | |||
| CVE-2026-43653 | medium | 6.2 | 6.2 | 21d ago | The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5. An attacker on … | |||
| CVE-2026-28977 | medium | 6.2 | 6.2 | 21d ago | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 2… | |||
| CVE-2026-42199 | medium | 6.2 | 6.2 | 23d ago | Grid: Integer Overflow in Grid::expand_rows Leads to Safe-API Undefined Behavior | |||
| CVE-2026-41511 | medium | 6.2 | 6.2 | 23d ago | OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle | |||
| CVE-2026-35902 | medium | 6.2 | 6.2 | 1mo ago | The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication paramete… | |||
| CVE-2026-6386 | medium | 6.2 | 6.2 | 1mo ago | In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the pres… | |||
| CVE-2026-28833 | medium | 6.2 | 6.2 | 2mo ago | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed ap… | |||
| CVE-2026-5071 | medium | 6.1 | 6.1 | 2d ago | The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socke… | |||
| CVE-2026-49384 | medium | 6.1 | 6.1 | 2d ago | In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible | |||
| CVE-2026-49375 | medium | 6.1 | 6.1 | 2d ago | In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page | |||
| CVE-2026-9646 | medium | 6.1 | 6.1 | 3d ago | A reflected cross-site scripting issue exists in URL handling. | |||
| CVE-2026-47328 | medium | 6.1 | 6.1 | 3d ago | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug… | |||
| CVE-2026-45307 | medium | 6.1 | 6.1 | 3d ago | Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urlj… | |||
| CVE-2026-7660 | medium | 6.1 | 6.1 | 4d ago | The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sani… | |||
| CVE-2026-44681 | medium | 6.1 | 6.1 | 4d ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authoriza… | |||
| CVE-2026-44475 | medium | 6.1 | 6.1 | 4d ago | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored va… | |||
| CVE-2026-49102 | medium | 6.1 | 6.1 | 4d ago | Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain). | |||
| CVE-2026-47119 | medium | 6.1 | 6.1 | 4d ago | Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the im… | |||
| CVE-2026-3349 | medium | 6.1 | 6.1 | 5d ago | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3.6.1 due to insuffic… | |||
| CVE-2026-8906 | medium | 6.1 | 6.1 | 5d ago | The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This ma… | |||
| CVE-2026-3001 | medium | 6.1 | 6.1 | 5d ago | The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output… | |||
| CVE-2026-8707 | medium | 6.1 | 6.1 | 5d ago | The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and outp… | |||
| CVE-2026-8911 | medium | 6.1 | 6.1 | 5d ago | The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This … | |||
| CVE-2026-44897 | medium | 6.1 | 6.1 | 5d ago | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTM… | |||
| CVE-2026-44708 | medium | 6.1 | 6.1 | 5d ago | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied con… | |||
| CVE-2026-44899 | medium | 6.1 | 6.1 | 5d ago | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^… | |||
| CVE-2026-44896 | medium | 6.1 | 6.1 | 5d ago | Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options direc… | |||
| CVE-2026-30894 | medium | 6.1 | 6.1 | 5d ago | Lack of output escaping leads to a XSS vector in the content history component. | |||
| CVE-2026-48903 | medium | 6.1 | 6.1 | 5d ago | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | |||
| CVE-2026-48905 | medium | 6.1 | 6.1 | 5d ago | Lack of input filtering leads to an XSS vector in the HTML filter code. | |||
| CVE-2026-25901 | medium | 6.1 | 6.1 | 5d ago | Lack of output escaping leads to a XSS vector in the multilingual associations component. | |||
| CVE-2026-25900 | medium | 6.1 | 6.1 | 5d ago | Lack of output escaping leads to a XSS vector in the feed modules. | |||
| CVE-2026-30895 | medium | 6.1 | 6.1 | 5d ago | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | |||
| CVE-2026-47070 | medium | 6.1 | 6.1 | 6d ago | HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney | |||
| CVE-2026-45249 | medium | 6.1 | 6.1 | 7d ago | A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0,… | |||
| CVE-2026-36226 | medium | 6.1 | 6.1 | 9d ago | Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User compone… | |||
| CVE-2026-42506 | medium | 6.1 | 6.1 | 9d ago | Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html | |||
| CVE-2026-42502 | medium | 6.1 | 6.1 | 9d ago | Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html | |||
| CVE-2026-27136 | medium | 6.1 | 6.1 | 9d ago | Invoking duplicate attributes can cause XSS in golang.org/x/net/html | |||
| CVE-2026-25681 | medium | 6.1 | 6.1 | 9d ago | Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html | |||
| CVE-2026-6864 | medium | 6.1 | 6.1 | 10d ago | The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sani… | |||
| CVE-2026-3481 | medium | 6.1 | 6.1 | 10d ago | The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input saniti… | |||
| CVE-2026-22880 | medium | 6.1 | 6.1 | 11d ago | Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Ma… | |||
| CVE-2026-47099 | medium | 6.1 | 6.1 | 11d ago | TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` | |||
| CVE-2026-26028 | medium | 6.1 | 6.1 | 11d ago | CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS | |||
| CVE-2026-30691 | medium | 6.1 | 6.1 | 11d ago | Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanit… | |||
| CVE-2026-5776 | medium | 6.1 | 6.1 | 12d ago | The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks | |||
| CVE-2026-8627 | medium | 6.1 | 6.1 | 12d ago | The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_pa… | |||
| CVE-2026-8626 | medium | 6.1 | 6.1 | 12d ago | The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output… | |||
| CVE-2026-8624 | medium | 6.1 | 6.1 | 12d ago | The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input san… | |||
| CVE-2026-8420 | medium | 6.1 | 6.1 | 12d ago | The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a func… | |||
| CVE-2026-7462 | medium | 6.1 | 6.1 | 12d ago | The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitiz… | |||
| CVE-2026-6395 | medium | 6.1 | 6.1 | 12d ago | The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of n… | |||
| CVE-2026-6391 | medium | 6.1 | 6.1 | 12d ago | The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect no… | |||
| CVE-2026-6871 | medium | 6.1 | 6.1 | 12d ago | This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only af… | |||
| CVE-2026-6367 | medium | 6.1 | 6.1 | 12d ago | Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross s… | |||
| CVE-2026-6365 | medium | 6.1 | 6.1 | 12d ago | Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability. | |||
| CVE-2026-6095 | medium | 6.1 | 6.1 | 12d ago | The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an `<iframe-consent>` tag, they may be able to ins… | |||
| CVE-2026-5090 | medium | 6.1 | 6.1 | 12d ago | Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could… | |||
| CVE-2026-31906 | medium | 6.1 | 6.1 | 13d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrad… | |||
| CVE-2026-31379 | medium | 6.1 | 6.1 | 13d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of… | |||
| CVE-2026-34000 | medium | 6.1 | 6.1 | 13d ago | A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an at… | |||
| CVE-2026-45243 | medium | 6.1 | 6.1 | 13d ago | Summarize contains a missing authorization vulnerability |