CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-44007
9.1 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless …

May 13, 2026
CVE-2026-44006
10.0 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. …

May 13, 2026
CVE-2026-44005
10.0 CRITICAL

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards …

May 13, 2026
CVE-2026-44004
7.5 HIGH

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on …

May 13, 2026
CVE-2026-44003
5.3 MEDIUM

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code …

May 13, 2026
CVE-2026-44002
5.8 MEDIUM

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks …

May 13, 2026
CVE-2026-44001
8.6 HIGH

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the …

May 13, 2026
CVE-2026-44000
6.5 MEDIUM

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the …

May 13, 2026
CVE-2026-43999
9.9 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via …

May 13, 2026
CVE-2026-43998
8.5 HIGH

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load …

May 13, 2026
CVE-2026-43997
10.0 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use …

May 13, 2026
CVE-2026-0265

An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service …

May 13, 2026
CVE-2026-0264

A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access …

May 13, 2026
CVE-2026-0263

A buffer overflow vulnerability in the IKEv2 processing of Palo Alto Networks PAN-OS® software allows an unauthenticated network-based attacker to execute arbitrary code with elevated …

May 13, 2026
CVE-2026-0237

An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge. …

May 13, 2026
CVE-2026-44577
5.9 MEDIUM

Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, …

May 13, 2026
CVE-2026-44576
5.4 MEDIUM

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable …

May 13, 2026
CVE-2026-44575
7.5 HIGH

Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or …

May 13, 2026
CVE-2026-44574
8.1 HIGH

Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic …

May 13, 2026
CVE-2026-44573
7.5 HIGH

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured …

May 13, 2026
CVE-2026-2695
6.3 MEDIUM

A command injection vulnerability was discovered in TeamViewer DEX Platform On-Premises (former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows authenticated …

May 13, 2026
CVE-2024-48519
6.2 MEDIUM

Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b045162058df0ff136afea3081fcd06d38 allows a local attacker to cause a denial of service via the AP_InertialSensor_ADIS1647x.cpp, ArduRover, ADIS1647x Sensor component.

May 13, 2026
CVE-2026-8367
4.8 MEDIUM

aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a …

May 13, 2026
CVE-2026-6282
8.1 HIGH

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move …

May 13, 2026
CVE-2026-6281
8.8 HIGH

A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute …

May 13, 2026
CVE-2026-45740
5.3 MEDIUM

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors …

May 13, 2026
CVE-2026-45033

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI …

May 13, 2026
CVE-2026-45028
6.1 MEDIUM

Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots …

May 13, 2026
CVE-2026-44665
6.1 MEDIUM

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks …

May 13, 2026
CVE-2026-44664
6.1 MEDIUM

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This …

May 13, 2026
CVE-2026-44572
3.7 LOW

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header …

May 13, 2026
CVE-2026-44479
5.5 MEDIUM

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or …

May 13, 2026
CVE-2026-44470

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService …

May 13, 2026
CVE-2026-44467

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, …

May 13, 2026
CVE-2026-44459
3.8 LOW

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, …

May 13, 2026
CVE-2026-44458
4.3 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for …

May 13, 2026
CVE-2026-44457
5.3 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that …

May 13, 2026
CVE-2026-44456
6.5 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without …

May 13, 2026
CVE-2026-44455
4.7 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx …

May 13, 2026
CVE-2026-44432
7.5 HIGH

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) …

May 13, 2026
CVE-2026-44431
5.3 MEDIUM

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward …

May 13, 2026
CVE-2026-44295
8.7 HIGH

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled …

May 13, 2026
CVE-2026-44294
5.3 MEDIUM

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain …

May 13, 2026
CVE-2026-44293
8.8 HIGH

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived …

May 13, 2026
CVE-2026-44292
5.3 MEDIUM

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object …

May 13, 2026
CVE-2026-44291
8.1 HIGH

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables …

May 13, 2026
CVE-2026-44290
7.5 HIGH

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties …

May 13, 2026
CVE-2026-44289
7.5 HIGH

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. …

May 13, 2026
CVE-2026-44288
5.3 MEDIUM

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences …

May 13, 2026
CVE-2026-43489

In the Linux kernel, the following vulnerability has been resolved: liveupdate: luo_file: remember retrieve() status LUO keeps track of successful retrieve attempts on a LUO …

May 13, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.