Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-42289 |
|
Privilege Escalation in csrf (CVE-2026-42289)
vulnerability in csrf (CVE-2026-42289). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `7.3.2` or later.
|
| CVE-2026-41901 |
|
Vulnerability in org.thymeleaf:thymeleaf (CVE-2026-41901)
vulnerability in org.thymeleaf:thymeleaf (CVE-2026-41901). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.1.5.RELEASE` or later.
|
| CVE-2026-42288 |
|
Code Injection in CVE-2026-42288 (CVE-2026-42288)
code injection in CVE-2026-42288 (CVE-2026-42288). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `7.3.2` or later.
|
| CVE-2026-43680 |
|
Code Injection in claris (CVE-2026-43680)
code injection in claris (CVE-2026-43680). Successful exploitation can lead to full system takeover.
|
| CVE-2026-42158 |
|
Vulnerability in CVE-2026-42158 (CVE-2026-42158)
vulnerability in CVE-2026-42158 (CVE-2026-42158). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.2.3` or later.
|
| CVE-2026-42157 |
|
Cross-Site Scripting (XSS) in CVE-2026-42157 (CVE-2026-42157)
cross-site scripting in CVE-2026-42157 (CVE-2026-42157). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.2.3` or later.
|
| CVE-2026-43685 |
|
OS Command Injection in claris (CVE-2026-43685)
OS command injection in claris (CVE-2026-43685). Successful exploitation can lead to full system takeover.
|
| CVE-2026-1250 |
|
SQL Injection in wordpress (CVE-2026-1250)
SQL injection in wordpress (CVE-2026-1250). Confidential information can be exposed externally.
|
| CVE-2025-15463 |
|
Code Injection in wordpress (CVE-2025-15463)
code injection in wordpress (CVE-2025-15463). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-44660 |
|
Vulnerability in ujson (CVE-2026-44660)
vulnerability in ujson (CVE-2026-44660). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `5.12.1` or later.
|
| CVE-2026-44652 |
|
SSRF (Server-Side Request Forgery) in sillytavern (CVE-2026-44652)
SSRF in sillytavern (CVE-2026-44652). Risk of unauthorized operations or information disclosure. Exploitable via `GET /proxy/`. Mitigation: upgrade to `1.18.0` or later.
|
| CVE-2026-44651 |
|
Cross-Site Scripting (XSS) in sillytavern (CVE-2026-44651)
cross-site scripting in sillytavern (CVE-2026-44651). Risk of unauthorized operations or information disclosure. Exploitable via `GET /proxy/`. Mitigation: upgrade to `1.18.0` or later.
|
| CVE-2026-44650 |
|
Path Traversal in sillytavern (CVE-2026-44650)
path traversal in sillytavern (CVE-2026-44650). Data can be tampered with by attackers. Exploitable via `POST /api/extensions/delete`. Mitigation: upgrade to `1.18.0` or later.
|
| CVE-2026-44649 |
|
Vulnerability in sillytavern (CVE-2026-44649)
vulnerability in sillytavern (CVE-2026-44649). Successful exploitation can lead to full system takeover. Exploitable via ``config.yaml``. Mitigation: upgrade to `1.18.0` or later.
|
| CVE-2026-44594 |
|
Path Traversal in github.com/esm-dev/esm.sh (CVE-2026-44594)
path traversal in github.com/esm-dev/esm.sh (CVE-2026-44594). Confidential information can be exposed externally. Exploitable via ``browser``. Mitigation: upgrade to `0.0.0-20250616164159-0593516c4cfa` or later.
|
| CVE-2026-44593 |
|
Path Traversal in github.com/esm-dev/esm.sh (CVE-2026-44593)
path traversal in github.com/esm-dev/esm.sh (CVE-2026-44593). Risk of unauthorized operations or information disclosure. Exploitable via ``legacyServer``. Mitigation: upgrade to `0.0.0-20260508100112-1960055e1d53` or later.
|
| CVE-2026-45227 |
|
Vulnerability in CVE-2026-45227 (CVE-2026-45227)
vulnerability in CVE-2026-45227 (CVE-2026-45227). Successful exploitation can lead to full system takeover.
|
| CVE-2026-45226 |
|
Authorization Flaw in CVE-2026-45226 (CVE-2026-45226)
vulnerability in CVE-2026-45226 (CVE-2026-45226). Confidential information can be exposed externally.
|
| CVE-2026-8449 |
|
Out-of-Bounds Read in privilege-escalation (CVE-2026-8449)
vulnerability in privilege-escalation (CVE-2026-8449). Successful exploitation can lead to full system takeover.
|
| CVE-2026-44871 |
|
Command Injection in arubanetworks (CVE-2026-44871)
command injection in arubanetworks (CVE-2026-44871). Successful exploitation can lead to full system takeover.
|
| CVE-2026-44307 |
|
Path Traversal in Mako (CVE-2026-44307)
path traversal in Mako (CVE-2026-44307). Risk of unauthorized operations or information disclosure. Exploitable via ``Template.__init__``. Mitigation: upgrade to `1.3.12` or later.
|
| CVE-2026-45225 |
|
Path Traversal in path-traversal (CVE-2026-45225)
path traversal in path-traversal (CVE-2026-45225). Data can be tampered with by attackers.
|
| CVE-2026-44305 |
|
Vulnerability in lemur (CVE-2026-44305)
vulnerability in lemur (CVE-2026-44305). Confidential information can be exposed externally. Exploitable via ``ldap``. Mitigation: upgrade to `1.9.0` or later.
|
| CVE-2026-44262 |
|
Code Injection in dedoc/scramble (CVE-2026-44262)
code injection in dedoc/scramble (CVE-2026-44262). Confidential information can be exposed externally. Mitigation: upgrade to `0.13.22` or later.
|
| CVE-2026-44296 |
|
Vulnerability in dos (CVE-2026-44296)
vulnerability in dos (CVE-2026-44296). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.26.0.167` or later.
|
| CVE-2026-44260 |
|
Authorization Flaw in CVE-2026-44260 (CVE-2026-44260)
vulnerability in CVE-2026-44260 (CVE-2026-44260). Confidential information can be exposed externally. Mitigation: upgrade to `4.08.010` or later.
|
| CVE-2026-44301 |
|
Path Traversal in github.com/gohugoio/hugo (CVE-2026-44301)
path traversal in github.com/gohugoio/hugo (CVE-2026-44301). Confidential information can be exposed externally. Mitigation: upgrade to `0.161.0` or later.
|
| CVE-2026-44259 |
|
Vulnerability in CVE-2026-44259 (CVE-2026-44259)
vulnerability in CVE-2026-44259 (CVE-2026-44259). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `4.08.010` or later.
|
| CVE-2026-44302 |
|
Vulnerability in Snappier (CVE-2026-44302)
vulnerability in Snappier (CVE-2026-44302). Risk of unauthorized operations or information disclosure. Exploitable via ``Snappier.SnappyStream``. Mitigation: upgrade to `1.3.1` or later.
|
| CVE-2026-44258 |
|
OS Command Injection in path-traversal (CVE-2026-44258)
OS command injection in path-traversal (CVE-2026-44258). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `4.08.010` or later.
|
| CVE-2026-44257 |
|
Command Injection in tomcat (CVE-2026-44257)
command injection in tomcat (CVE-2026-44257). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `4.08.010` or later.
|
| CVE-2026-44241 |
|
Vulnerability in io.micronaut:micronaut-context (CVE-2026-44241)
vulnerability in io.micronaut:micronaut-context (CVE-2026-44241). Risk of unauthorized operations or information disclosure. Exploitable via ``TimeConverterRegistrar``. Mitigation: upgrade to `3.8.14` or later.
|
| CVE-2026-44242 |
|
Vulnerability in io.micronaut:micronaut-inject (CVE-2026-44242)
vulnerability in io.micronaut:micronaut-inject (CVE-2026-44242). Risk of unauthorized operations or information disclosure. Exploitable via ``ResourceBundleMessageSource``. Mitigation: upgrade to `3.8.14` or later.
|
| CVE-2026-43948 |
|
Authorization Flaw in wger (CVE-2026-43948)
vulnerability in wger (CVE-2026-43948). Successful exploitation can lead to full system takeover. Exploitable via `GET /en/gym/user/`. Mitigation: upgrade to `2.6` or later.
|
| CVE-2026-42855 |
|
Authentication Bypass in espressif (CVE-2026-42855)
authentication bypass in espressif (CVE-2026-42855). Confidential information can be exposed externally. Exploitable via `Authorization header`. Mitigation: upgrade to `3.3.8` or later.
|
| CVE-2026-41195 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-41195)
SSRF in ssrf (CVE-2026-41195). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.4.13` or later.
|
| CVE-2026-42196 |
|
Path Traversal in django-s3file (CVE-2026-42196)
path traversal in django-s3file (CVE-2026-42196). Risk of unauthorized operations or information disclosure. Exploitable via ``S3FileMiddleware``. Mitigation: upgrade to `7.0.2` or later.
|
| CVE-2026-42544 |
|
Vulnerability in granian (CVE-2026-42544)
vulnerability in granian (CVE-2026-42544). Risk of unauthorized operations or information disclosure. Exploitable via ``Err``. Mitigation: upgrade to `2.7.4` or later.
|
| CVE-2026-42854 |
|
Vulnerability in espressif (CVE-2026-42854)
vulnerability in espressif (CVE-2026-42854). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.3.8` or later.
|
| CVE-2026-42844 |
|
Privilege Escalation in getgrav/grav (CVE-2026-42844)
vulnerability in getgrav/grav (CVE-2026-42844). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/auth/token`. Mitigation: upgrade to `2.0.0-beta.4` or later.
|
| CVE-2026-42268 |
|
Vulnerability in modsecurity (CVE-2026-42268)
vulnerability in modsecurity (CVE-2026-42268). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `3.0.15` or later.
|
| CVE-2026-42545 |
|
Vulnerability in granian (CVE-2026-42545)
vulnerability in granian (CVE-2026-42545). Risk of unauthorized operations or information disclosure. Exploitable via ``Location``. Mitigation: upgrade to `2.7.4` or later.
|
| CVE-2026-40863 |
|
Vulnerability in phpoffice/phpspreadsheet (CVE-2026-40863)
vulnerability in phpoffice/phpspreadsheet (CVE-2026-40863). Risk of unauthorized operations or information disclosure. Exploitable via ``cachedHighestRow``. Mitigation: upgrade to `1.30.4` or later.
|
| CVE-2026-40902 |
|
Vulnerability in phpoffice/phpspreadsheet (CVE-2026-40902)
vulnerability in phpoffice/phpspreadsheet (CVE-2026-40902). Risk of unauthorized operations or information disclosure. Exploitable via ``cachedHighestRow``. Mitigation: upgrade to `1.30.4` or later.
|
| CVE-2026-33570 |
|
Authorization Flaw in CVE-2026-33570 (CVE-2026-33570)
vulnerability in CVE-2026-33570 (CVE-2026-33570). Confidential information can be exposed externally.
|
| CVE-2026-35555 |
|
Authorization Flaw in CVE-2026-35555 (CVE-2026-35555)
vulnerability in CVE-2026-35555 (CVE-2026-35555). Data can be tampered with by attackers.
|
| CVE-2026-26289 |
|
Authorization Flaw in CVE-2026-26289 (CVE-2026-26289)
vulnerability in CVE-2026-26289 (CVE-2026-26289). Confidential information can be exposed externally.
|
| CVE-2026-44403 |
|
Code Injection in wftpserver (CVE-2026-44403)
code injection in wftpserver (CVE-2026-44403). Successful exploitation can lead to full system takeover.
|
| CVE-2026-44012 |
|
Vulnerability in craftcms/cms (CVE-2026-44012)
vulnerability in craftcms/cms (CVE-2026-44012). Risk of unauthorized operations or information disclosure. Exploitable via ``viewAssets``. Mitigation: upgrade to `5.9.18` or later.
|
| CVE-2026-44246 |
|
Vulnerability in dkfz (CVE-2026-44246)
vulnerability in dkfz (CVE-2026-44246). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2.4.1` or later.
|