Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-46597 | UNKNOWN | — | An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. | May 22, 2026 |
| CVE-2026-46595 | UNKNOWN | — | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the … | May 22, 2026 |
| CVE-2026-42508 | UNKNOWN | — | Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked. | May 22, 2026 |
| CVE-2026-39835 | UNKNOWN | — | SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a … | May 22, 2026 |
| CVE-2026-39834 | UNKNOWN | — | When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused … | May 22, 2026 |
| CVE-2026-39833 | UNKNOWN | — | The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, … | May 22, 2026 |
| CVE-2026-39832 | UNKNOWN | — | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when … | May 22, 2026 |
| CVE-2026-39831 | UNKNOWN | — | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing … | May 22, 2026 |
| CVE-2026-39830 | UNKNOWN | — | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not … | May 22, 2026 |
| CVE-2026-39829 | UNKNOWN | — | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or … | May 22, 2026 |
| CVE-2026-39828 | UNKNOWN | — | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a … | May 22, 2026 |
| CVE-2026-39827 | UNKNOWN | — | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting … | May 22, 2026 |
| CVE-2026-9264 | UNKNOWN | — | A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The … | May 22, 2026 |
| CVE-2026-34911 | HIGH | 7.7 | A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files … | May 22, 2026 |
| CVE-2026-34910 | CRITICAL | 10.0 | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | May 22, 2026 |
| CVE-2026-34909 | CRITICAL | 10.0 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying … | May 22, 2026 |
| CVE-2026-34908 | CRITICAL | 10.0 | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to … | May 22, 2026 |
| CVE-2026-33000 | CRITICAL | 9.1 | A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute … | May 22, 2026 |
| CVE-2026-5297 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | May 21, 2026 |
| CVE-2026-8435 | UNKNOWN | — | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a … | May 21, 2026 |
| CVE-2026-8434 | UNKNOWN | — | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a … | May 21, 2026 |
| CVE-2026-8433 | UNKNOWN | — | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a … | May 21, 2026 |
| CVE-2026-8432 | UNKNOWN | — | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a … | May 21, 2026 |
| CVE-2026-8427 | UNKNOWN | — | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a … | May 21, 2026 |
| CVE-2026-8416 | UNKNOWN | — | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a … | May 21, 2026 |