Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-31249 |
|
Unsafe Deserialization in deserialization (CVE-2026-31249)
vulnerability in deserialization (CVE-2026-31249). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-31250 |
|
Unsafe Deserialization in deserialization (CVE-2026-31250)
vulnerability in deserialization (CVE-2026-31250). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-42860 |
|
SSRF (Server-Side Request Forgery) in edx-enterprise (CVE-2026-42860)
SSRF in edx-enterprise (CVE-2026-42860). Confidential information can be exposed externally. Exploitable via ``sync_provider_data``. Mitigation: upgrade to `7.0.5` or later.
|
| CVE-2026-42858 |
|
SSRF (Server-Side Request Forgery) in openedx (CVE-2026-42858)
SSRF in openedx (CVE-2026-42858). Confidential information can be exposed externally.
|
| CVE-2026-42315 |
|
Path Traversal in pyload-ng (CVE-2026-42315)
path traversal in pyload-ng (CVE-2026-42315). Data can be tampered with by attackers. Exploitable via ``Perms.MODIFY``. Mitigation: upgrade to `0.5.0b3.dev100` or later.
|
| CVE-2026-42313 |
|
Vulnerability in pyload-ng (CVE-2026-42313)
vulnerability in pyload-ng (CVE-2026-42313). Confidential information can be exposed externally. Exploitable via ``ADMIN_ONLY_CORE_OPTIONS``. Mitigation: upgrade to `0.5.0b3.dev100` or later.
|
| CVE-2026-41431 |
|
Vulnerability in CVE-2026-41431 (CVE-2026-41431)
vulnerability in CVE-2026-41431 (CVE-2026-41431). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.19.9b` or later.
|
| CVE-2026-42843 |
|
Authorization Flaw in getgrav/grav-plugin-api (CVE-2026-42843)
vulnerability in getgrav/grav-plugin-api (CVE-2026-42843). Successful exploitation can lead to full system takeover. Exploitable via ``api.access``. Mitigation: upgrade to `1.0.0-beta.15` or later.
|
| CVE-2026-44738 |
|
Information Disclosure in getgrav/grav (CVE-2026-44738)
vulnerability in getgrav/grav (CVE-2026-44738). Confidential information can be exposed externally. Exploitable via ``admin.pages``. Mitigation: upgrade to `2.0.0-rc.2` or later.
|
| CVE-2026-42603 |
|
Code Injection in CVE-2026-42603 (CVE-2026-42603)
code injection in CVE-2026-42603 (CVE-2026-42603). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `2.1.2` or later.
|
| CVE-2026-42349 |
|
Vulnerability in @clerk/shared (CVE-2026-42349)
vulnerability in @clerk/shared (CVE-2026-42349). Confidential information can be exposed externally. Exploitable via ``clerkMiddleware``. Mitigation: upgrade to `4.8.3` or later.
|
| CVE-2026-45109 |
|
Vulnerability in next (CVE-2026-45109)
vulnerability in next (CVE-2026-45109). Confidential information can be exposed externally. Exploitable via ``middleware.ts``. Mitigation: upgrade to `16.2.6` or later.
|
| CVE-2026-45061 |
|
SSRF (Server-Side Request Forgery) in budibase (CVE-2026-45061)
SSRF in budibase (CVE-2026-45061). Confidential information can be exposed externally. Exploitable via `POST /api/plugin`. Mitigation: upgrade to `3.35.10` or later.
|
| CVE-2026-45047 |
|
Vulnerability in github.com/xddxdd/bird-lg-go (CVE-2026-45047)
vulnerability in github.com/xddxdd/bird-lg-go (CVE-2026-45047). Risk of unauthorized operations or information disclosure. Exploitable via ``apiHandler``. Mitigation: upgrade to `0.0.0-20260507060110-0ff87024cb9e` or later.
|
| CVE-2026-7816 |
|
OS Command Injection in pgadmin4 (CVE-2026-7816)
OS command injection in pgadmin4 (CVE-2026-7816). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `9.15` or later.
|
| CVE-2026-7818 |
|
Unsafe Deserialization in pgadmin4 (CVE-2026-7818)
vulnerability in pgadmin4 (CVE-2026-7818). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `9.15` or later.
|
| CVE-2026-7815 |
|
SQL Injection in pgadmin4 (CVE-2026-7815)
SQL injection in pgadmin4 (CVE-2026-7815). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `9.15` or later.
|
| CVE-2026-42612 |
|
Cross-Site Scripting (XSS) in getgrav/grav (CVE-2026-42612)
cross-site scripting in getgrav/grav (CVE-2026-42612). Confidential information can be exposed externally. Exploitable via ``onerror``. Mitigation: upgrade to `2.0.0-beta.2` or later.
|
| CVE-2026-42611 |
|
Cross-Site Scripting (XSS) in getgrav/grav (CVE-2026-42611)
cross-site scripting in getgrav/grav (CVE-2026-42611). Confidential information can be exposed externally. Exploitable via `POST /grav-log`. Mitigation: upgrade to `2.0.0-beta.2` or later.
|
| CVE-2026-42609 |
|
Privilege Escalation in getgrav/grav (CVE-2026-42609)
vulnerability in getgrav/grav (CVE-2026-42609). Data can be tampered with by attackers. Exploitable via ``d904efc33``. Mitigation: upgrade to `2.0.0-beta.2` or later.
|
| CVE-2026-34092 |
|
Information Disclosure in mediawiki (CVE-2026-34092)
vulnerability in mediawiki (CVE-2026-34092). Confidential information can be exposed externally.
|
| CVE-2026-34091 |
|
Information Disclosure in mediawiki (CVE-2026-34091)
vulnerability in mediawiki (CVE-2026-34091). Confidential information can be exposed externally.
|
| CVE-2026-34090 |
|
Information Disclosure in mediawiki (CVE-2026-34090)
vulnerability in mediawiki (CVE-2026-34090). Confidential information can be exposed externally.
|
| CVE-2026-34088 |
|
Information Disclosure in mediawiki (CVE-2026-34088)
vulnerability in mediawiki (CVE-2026-34088). Confidential information can be exposed externally.
|
| CVE-2026-34087 |
|
Information Disclosure in mediawiki (CVE-2026-34087)
vulnerability in mediawiki (CVE-2026-34087). Confidential information can be exposed externally.
|
| CVE-2025-65418 |
|
Path Traversal in path-traversal (CVE-2025-65418)
path traversal in path-traversal (CVE-2025-65418). Confidential information can be exposed externally.
|
| CVE-2026-31247 |
|
Vulnerability in docling (CVE-2026-31247)
vulnerability in docling (CVE-2026-31247). Risk of unauthorized operations or information disclosure.
|
| CVE-2025-61314 |
|
Cross-Site Scripting (XSS) in CVE-2025-61314 (CVE-2025-61314)
cross-site scripting in CVE-2025-61314 (CVE-2025-61314). Confidential information can be exposed externally.
|
| CVE-2025-61313 |
|
Cross-Site Scripting (XSS) in CVE-2025-61313 (CVE-2025-61313)
cross-site scripting in CVE-2025-61313 (CVE-2025-61313). Confidential information can be exposed externally.
|
| CVE-2025-61312 |
|
Cross-Site Scripting (XSS) in CVE-2025-61312 (CVE-2025-61312)
cross-site scripting in CVE-2025-61312 (CVE-2025-61312). Confidential information can be exposed externally.
|
| CVE-2025-61311 |
|
Cross-Site Scripting (XSS) in CVE-2025-61311 (CVE-2025-61311)
cross-site scripting in CVE-2025-61311 (CVE-2025-61311). Confidential information can be exposed externally.
|
| CVE-2026-40217 |
|
Vulnerability in litellm (CVE-2026-40217)
vulnerability in litellm (CVE-2026-40217). Successful exploitation can lead to full system takeover. Exploitable via `POST /guardrails/test_custom_code`. Mitigation: upgrade to `1.83.10` or later.
|
| CVE-2026-44543 |
|
Vulnerability in github.com/rancher/local-path-provisioner (CVE-2026-44543)
vulnerability in github.com/rancher/local-path-provisioner (CVE-2026-44543). Confidential information can be exposed externally. Exploitable via ``helperPod.yaml``. Mitigation: upgrade to `0.0.36` or later.
|
| CVE-2026-44521 |
|
SQL Injection in studio-42/elfinder (CVE-2026-44521)
SQL injection in studio-42/elfinder (CVE-2026-44521). Successful exploitation can lead to full system takeover. Exploitable via ``elFinderVolumeMySQL``. Mitigation: upgrade to `2.1.68` or later.
|
| CVE-2026-44516 |
|
Vulnerability in com.ritense.valtimo:web (CVE-2026-44516)
vulnerability in com.ritense.valtimo:web (CVE-2026-44516). Confidential information can be exposed externally. Exploitable via ``LoggingRestClientCustomizer``. Mitigation: upgrade to `13.26.0` or later.
|
| CVE-2026-44483 |
|
Vulnerability in @rvf/set-get (CVE-2026-44483)
vulnerability in @rvf/set-get (CVE-2026-44483). Data can be tampered with by attackers. Exploitable via ``setPath``. Mitigation: upgrade to `6.0.4` or later.
|
| CVE-2026-44579 |
|
Vulnerability in next (CVE-2026-44579)
vulnerability in next (CVE-2026-44579). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44578 |
|
SSRF (Server-Side Request Forgery) in next (CVE-2026-44578)
SSRF in next (CVE-2026-44578). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44575 |
|
Vulnerability in next (CVE-2026-44575)
vulnerability in next (CVE-2026-44575). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44574 |
|
Vulnerability in next (CVE-2026-44574)
vulnerability in next (CVE-2026-44574). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44573 |
|
Authorization Flaw in next (CVE-2026-44573)
vulnerability in next (CVE-2026-44573). Confidential information can be exposed externally. Exploitable via ``i18n``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44473 |
|
Vulnerability in github.com/ellanetworks/core (CVE-2026-44473)
vulnerability in github.com/ellanetworks/core (CVE-2026-44473). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.10.0` or later.
|
| CVE-2026-45017 |
|
Path Traversal in python-liquid (CVE-2026-45017)
path traversal in python-liquid (CVE-2026-45017). Confidential information can be exposed externally. Exploitable via ``FileSystemLoader``. Mitigation: upgrade to `2.2.0` or later.
|
| CVE-2026-44971 |
|
SSRF (Server-Side Request Forgery) in guarddog (CVE-2026-44971)
SSRF in guarddog (CVE-2026-44971). Confidential information can be exposed externally. Exploitable via ``GH_TOKEN``.
|
| CVE-2026-44902 |
|
Vulnerability in @opentelemetry/exporter-prometheus (CVE-2026-44902)
vulnerability in @opentelemetry/exporter-prometheus (CVE-2026-44902). Risk of unauthorized operations or information disclosure. Exploitable via ``TypeError``. Mitigation: upgrade to `0.217.0` or later.
|
| CVE-2026-44346 |
|
OS Command Injection in bentoml (CVE-2026-44346)
OS command injection in bentoml (CVE-2026-44346). Successful exploitation can lead to full system takeover. Exploitable via ``bentofile.yaml``. Mitigation: upgrade to `1.4.39` or later.
|
| CVE-2026-44345 |
|
OS Command Injection in bentoml (CVE-2026-44345)
OS command injection in bentoml (CVE-2026-44345). Successful exploitation can lead to full system takeover. Exploitable via ``docker.base_image``. Mitigation: upgrade to `1.4.39` or later.
|
| CVE-2026-4802 |
|
OS Command Injection in CVE-2026-4802 (CVE-2026-4802)
OS command injection in CVE-2026-4802 (CVE-2026-4802). Successful exploitation can lead to full system takeover.
|
| CVE-2026-44569 |
|
Vulnerability in open-webui (CVE-2026-44569)
vulnerability in open-webui (CVE-2026-44569). Data can be tampered with by attackers. Exploitable via ``message_id``. Mitigation: upgrade to `0.6.19` or later.
|
| CVE-2026-44565 |
|
Path Traversal in open-webui (CVE-2026-44565)
path traversal in open-webui (CVE-2026-44565). Data can be tampered with by attackers. Exploitable via ``DELETE_ME``. Mitigation: upgrade to `0.6.10` or later.
|