Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23329
Total
1657
Critical
7330
High
7410
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-59930 | MEDIUM | 4.3 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N … | Jul 08, 2026 |
| CVE-2026-59929 | MEDIUM | 6.1 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: … | Jul 08, 2026 |
| CVE-2026-59928 | HIGH | 7.5 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic … | Jul 08, 2026 |
| CVE-2026-59927 | MEDIUM | 5.3 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect … | Jul 08, 2026 |
| CVE-2026-59926 | UNKNOWN | — | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML … | Jul 08, 2026 |
| CVE-2026-59925 | HIGH | 7.5 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character … | Jul 08, 2026 |
| CVE-2026-59924 | MEDIUM | 5.9 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result … | Jul 08, 2026 |
| CVE-2026-59923 | MEDIUM | 6.1 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or … | Jul 08, 2026 |
| CVE-2026-59922 | HIGH | 7.5 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a … | Jul 08, 2026 |
| CVE-2026-59897 | MEDIUM | 4.8 | Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop … | Jul 08, 2026 |
| CVE-2026-59896 | MEDIUM | 6.5 | Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request … | Jul 08, 2026 |
| CVE-2026-59895 | MEDIUM | 6.1 | Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain … | Jul 08, 2026 |
| CVE-2026-59892 | HIGH | 7.5 | OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors, … | Jul 08, 2026 |
| CVE-2026-59890 | MEDIUM | 6.1 | setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, … | Jul 08, 2026 |
| CVE-2026-59887 | HIGH | 7.5 | linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked … | Jul 08, 2026 |
| CVE-2026-59883 | MEDIUM | 4.7 | Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact … | Jul 08, 2026 |
| CVE-2026-59882 | MEDIUM | 4.2 | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, … | Jul 08, 2026 |
| CVE-2026-59879 | UNKNOWN | — | Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an … | Jul 08, 2026 |
| CVE-2026-59731 | HIGH | 8.2 | Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, … | Jul 08, 2026 |
| CVE-2026-59261 | HIGH | 7.1 | OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can … | Jul 08, 2026 |
| CVE-2026-42505 | MEDIUM | 5.3 | Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted … | Jul 08, 2026 |
| CVE-2026-39822 | HIGH | 7.8 | On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the … | Jul 08, 2026 |
| CVE-2026-29009 | HIGH | 8.2 | U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the … | Jul 08, 2026 |
| CVE-2026-29008 | HIGH | 7.5 | U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a … | Jul 08, 2026 |
| CVE-2026-29007 | MEDIUM | 5.3 | U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp_rx_state_machine() (net/tcp.c) when CONFIG_PROT_TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by … | Jul 08, 2026 |