Common Vulnerabilities and Exposures (CVE)
CVE-2026-39987
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell an...
CVE-2026-35405
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering u...
CVE-2026-3005
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user s...
CVE-2026-40072
web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in...
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invo...
CVE-2026-0385
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
CVE-2026-26133
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-32187
Microsoft Edge (Chromium-based) Defense in Depth Vulnerability
CVE-2026-26144
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
CVE-2026-26141
Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally.
CVE-2026-26130
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2026-26123
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
CVE-2026-26118
Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-26117
Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-26110
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.