Fri, May 22 · 04:16 AM CDTCVE-2026-46595
10.0/10 · Must read/watchNVDvuln
Summary
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
CVECVE-2026-46595
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 22 · 04:16 AM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Thu, Apr 09 · 03:16 PM CDTCVE-2025-62718
9.9/10 · Must read/watchNVDvuln
Summary
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the config
CVECVE-2025-62718
SeverityCRITICAL
TypeUPDATED
PublishedThu, Apr 09 · 03:16 PM CDT
ModifiedThu, Jul 09 · 01:16 PM CDT
Fri, May 15 · 05:16 PM CDTCVE-2026-44774
9.9/10 · Must read/watchNVDvuln
Summary
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService
CVECVE-2026-44774
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 15 · 05:16 PM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Mon, Oct 12 · 02:15 PM CDTCVE-2020-26867
9.8/10 · Must read/watchNVDvuln
Summary
ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server.
CVECVE-2020-26867
SeverityCRITICAL
TypeUPDATED
PublishedMon, Oct 12 · 02:15 PM CDT
ModifiedThu, Jul 09 · 06:32 PM CDT
Fri, Nov 05 · 10:15 AM CDTCVE-2021-42237
9.8/10 · Must read/watchNVDvuln
Summary
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
CVECVE-2021-42237
SeverityCRITICAL
TypeUPDATED
PublishedFri, Nov 05 · 10:15 AM CDT
ModifiedThu, Jul 09 · 01:57 PM CDT
Mon, Mar 28 · 12:15 AM CDTCVE-2022-26258
9.8/10 · Must read/watchNVDvuln
Summary
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.
CVECVE-2022-26258
SeverityCRITICAL
TypeUPDATED
PublishedMon, Mar 28 · 12:15 AM CDT
ModifiedThu, Jul 09 · 01:57 PM CDT
Mon, May 04 · 05:16 PM CDTCVE-2026-24781
9.8/10 · Must read/watchNVDvuln
Summary
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.
CVECVE-2026-24781
SeverityCRITICAL
TypeUPDATED
PublishedMon, May 04 · 05:16 PM CDT
ModifiedThu, Jul 09 · 01:16 PM CDT
Tue, May 05 · 10:16 PM CDTCVE-2026-28780
9.8/10 · Must read/watchNVDvuln
Summary
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HT
CVECVE-2026-28780
SeverityCRITICAL
TypeUPDATED
PublishedTue, May 05 · 10:16 PM CDT
ModifiedThu, Jul 09 · 01:16 PM CDT
Fri, Mar 06 · 07:16 PM CSTCVE-2026-29063
9.8/10 · Must read/watchNVDvuln
Summary
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
CVECVE-2026-29063
SeverityCRITICAL
TypeUPDATED
PublishedFri, Mar 06 · 07:16 PM CST
ModifiedThu, Jul 09 · 01:16 PM CDT
Tue, Apr 07 · 04:16 PM CDTCVE-2026-33815
9.8/10 · Must read/watchNVDvuln
Summary
Memory-safety vulnerability in github.com/jackc/pgx/v5.
CVECVE-2026-33815
SeverityCRITICAL
TypeUPDATED
PublishedTue, Apr 07 · 04:16 PM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Tue, Apr 07 · 04:16 PM CDTCVE-2026-33816
9.8/10 · Must read/watchNVDvuln
Summary
Memory-safety vulnerability in github.com/jackc/pgx/v5.
CVECVE-2026-33816
SeverityCRITICAL
TypeUPDATED
PublishedTue, Apr 07 · 04:16 PM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Wed, May 06 · 12:16 PM CDTCVE-2026-43125
9.8/10 · Must read/watchNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation
CVECVE-2026-43125
SeverityCRITICAL
TypeUPDATED
PublishedWed, May 06 · 12:16 PM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Tue, Mar 24 · 12:16 AM CDTCVE-2026-33211
9.6/10 · Must read/watchNVDvuln
Summary
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `Resolut
CVECVE-2026-33211
SeverityCRITICAL
TypeUPDATED
PublishedTue, Mar 24 · 12:16 AM CDT
ModifiedThu, Jul 09 · 01:16 PM CDT
Fri, May 22 · 04:16 PM CDTCVE-2026-39821
9.6/10 · Must read/watchNVDvuln
Summary
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a
CVECVE-2026-39821
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 22 · 04:16 PM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Fri, Mar 20 · 11:16 PM CDTCVE-2026-33186
9.1/10 · Must read/watchNVDvuln
Summary
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g.,
CVECVE-2026-33186
SeverityCRITICAL
TypeUPDATED
PublishedFri, Mar 20 · 11:16 PM CDT
ModifiedThu, Jul 09 · 01:16 PM CDT
Fri, May 22 · 04:16 AM CDTCVE-2026-39830
9.1/10 · Must read/watchNVDvuln
Summary
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
CVECVE-2026-39830
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 22 · 04:16 AM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Fri, May 22 · 04:16 AM CDTCVE-2026-39832
9.1/10 · Must read/watchNVDvuln
Summary
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. A
CVECVE-2026-39832
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 22 · 04:16 AM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Fri, May 22 · 04:16 AM CDTCVE-2026-42508
9.1/10 · Must read/watchNVDvuln
Summary
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
CVECVE-2026-42508
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 22 · 04:16 AM CDT
ModifiedThu, Jul 09 · 01:17 PM CDT
Tue, Mar 17 · 03:16 PM CDTCVE-2026-3564
9.0/10 · Must read/watchNVDvuln
Summary
A condition in the ScreenConnect server component may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios. ScreenConnect host and guest client agents are not independently affected by this CVE.
CVECVE-2026-3564
SeverityCRITICAL
TypeUPDATED
PublishedTue, Mar 17 · 03:16 PM CDT
ModifiedThu, Jul 09 · 06:16 PM CDT
Tue, Apr 03 · 03:44 AM CDTCVE-2011-4042
9.3/10 · Must read/watchNVDvuln
Summary
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code by using a crafted HTML document to obtain control of a function pointer.
CVECVE-2011-4042
SeverityHIGH
TypeUPDATED
PublishedTue, Apr 03 · 03:44 AM CDT
ModifiedThu, Jul 09 · 06:33 PM CDT
Tue, Apr 03 · 03:44 AM CDTCVE-2011-4043
9.3/10 · Must read/watchNVDvuln
Summary
Integer overflow in an unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code via a large value for an integer parameter, leading to a buffer overflow.
CVECVE-2011-4043
SeverityHIGH
TypeUPDATED
PublishedTue, Apr 03 · 03:44 AM CDT
ModifiedThu, Jul 09 · 06:33 PM CDT
Mon, Feb 15 · 01:15 PM CSTCVE-2021-25296
8.8/10 · Worth your timeNVDvuln
Summary
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the N
CVECVE-2021-25296
SeverityHIGH
TypeUPDATED
PublishedMon, Feb 15 · 01:15 PM CST
ModifiedThu, Jul 09 · 01:39 PM CDT
Mon, Feb 15 · 01:15 PM CSTCVE-2021-25297
8.8/10 · Worth your timeNVDvuln
Summary
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI
CVECVE-2021-25297
SeverityHIGH
TypeUPDATED
PublishedMon, Feb 15 · 01:15 PM CST
ModifiedThu, Jul 09 · 01:39 PM CDT
Mon, Feb 15 · 01:15 PM CSTCVE-2021-25298
8.8/10 · Worth your timeNVDvuln
Summary
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagio
CVECVE-2021-25298
SeverityHIGH
TypeUPDATED
PublishedMon, Feb 15 · 01:15 PM CST
ModifiedThu, Jul 09 · 01:39 PM CDT
Wed, Apr 08 · 02:16 AM CDTCVE-2026-27140
8.8/10 · Worth your timeNVDvuln
Summary
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
CVECVE-2026-27140
SeverityHIGH
TypeUPDATED
PublishedWed, Apr 08 · 02:16 AM CDT
ModifiedThu, Jul 09 · 01:16 PM CDT