Components
Vulnerabilities
Pricing
MCP
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
Severity
Critical
(67,244)
High
(108,277)
Medium
(138,780)
Low
(10,266)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Affected Ecosystem
option1
option2
option3
option4
option5
Vulnerabilities
377,058
Filter
Sort: Published (Newest first)
3.3
CVE-2026-2642
A security vulnerability has been detected in ggreer the_silver_searcher up to 2.2.0. The impacted element is the function search_stream of the file src/search.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
affected
Severity
Low
Published
Feb 19, 2026
7.8
CVE-2025-33236
NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
affected
Severity
High
Published
Feb 19, 2026
8.7
CVE-2026-26314
github.com/ethereum/go-ethereum - Improper Input Validation
affected
Severity
High
Published
Feb 19, 2026
10.0
CVE-2025-14009
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.
affected
Severity
Critical
Published
Feb 19, 2026
3.3
CVE-2026-2659
A vulnerability was determined in Squirrel up to 3.2. Affected by this vulnerability is the function SQFuncState::PopTarget of the file src/squirrel/squirrel/sqfuncstate.cpp. Executing a manipulation of the argument _target_stack can lead to out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
affected
Severity
Low
Published
Feb 19, 2026
8.0
CVE-2025-33245
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
affected
Severity
High
Published
Feb 19, 2026
7.8
CVE-2025-33251
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
affected
Severity
High
Published
Feb 19, 2026
7.1
CVE-2026-26327
OpenClaw - Insufficient Verification of Data Authenticity
affected
Severity
High
Published
Feb 19, 2026
7.8
CVE-2025-33243
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution in distributed environments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
affected
Severity
High
Published
Feb 19, 2026
5.5
CVE-2024-46698
In the Linux kernel, the following vulnerability has been resolved: video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled()
affected
Severity
Medium
Published
Feb 19, 2026
7.1
sonatype-2026-000524
OpenClaw - Insufficient Verification of Data Authenticity
affected
Severity
High
Published
Feb 19, 2026
3.3
CVE-2025-8860
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.
affected
Severity
Low
Published
Feb 19, 2026
7.5
CVE-2026-2415
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.
affected
Severity
High
Published
Feb 19, 2026
2.0
CVE-2025-71230
In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfs_fill_super() takes ownership of the filesystem-specific s_fs_info data it was leaked. Fix this by freeing sb->s_fs_info in hfs_kill_super().
affected
Severity
Low
Published
Feb 19, 2026
5.7
CVE-2026-23223
In the Linux kernel, the following vulnerability has been resolved: xfs: fix UAF in xchk_btree_check_block_owner We cannot dereference bs->cur when trying to determine if bs->cur aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed. Fix this by sampling before type before any freeing could happen. The correct temporal ordering was broken when we removed xfs_btnum_t.
affected
Severity
Medium
Published
Feb 19, 2026
8.7
sonatype-2026-000523
Malicious Packages - Tue Feb 17 2026 [Dropper]
affected
Severity
High
Published
Feb 19, 2026
8.7
CVE-2026-2739
bn.js - Infinite Loop
affected
Severity
High
Published
Feb 19, 2026
5.3
sonatype-2026-000522
Malicious Packages - Tue Feb 17 2026 [Info Stealer]
affected
Severity
Medium
Published
Feb 19, 2026
0.0
sonatype-2026-000521
Potentially Unwanted Applications - Tue Feb 17 2026 [PUA]
affected
Severity
None
Published
Feb 19, 2026
3.8
CVE-2026-2733
Keycloak - Improper Authorization
affected
Severity
Low
Published
Feb 19, 2026
3.7
CVE-2026-2708
Libsoup - HTTP Request Smuggling
affected
Severity
Low
Published
Feb 19, 2026
8.7
CVE-2026-25535
jsPDF - Unrestricted Upload of File with Dangerous Type
affected
Severity
High
Published
Feb 19, 2026
0.0
sonatype-2026-000520
Potentially Unwanted Applications - Thu Feb 19 2026 [Obfuscation]
affected
Severity
None
Published
Feb 19, 2026
5.1
CVE-2026-2243
qemu-kvm - Out-of-bounds Read
affected
Severity
Medium
Published
Feb 19, 2026
6.3
CVE-2026-1200
A flaw was found in the rgaufman/live555 fork of live555. A remote attacker could exploit a segmentation fault, in the `increaseBufferTo` function. This vulnerability can lead to memory corruption problems and potentially other consequences.
affected
Severity
Medium
Published
Feb 19, 2026
1-25 of 377,058
