List of Issued CVE's
| Summary | Publication | CVE ID | Published Date | Last Updated |
|---|---|---|---|---|
| ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch) |
|
CVE-2026-28808 | 07 April 2026 | 07 April 2026 |
| OCSP designated-responder authorization bypass via missing signature verification |
|
CVE-2026-32144 | 07 April 2026 | 07 April 2026 |
| Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver |
|
CVE-2026-28810 | 07 April 2026 | 07 April 2026 |
| Multipart form body parser bypasses body size limits in wisp |
|
CVE-2026-32145 | 02 April 2026 | 07 April 2026 |
| XXE in esaml SAML library allows local file read and potential SSRF |
|
CVE-2026-28809 | 23 March 2026 | 07 April 2026 |
| Denial of Service via Oversized Package Upload |
|
CVE-2026-23940 | 13 March 2026 | 06 April 2026 |
| Request smuggling via first-wins Content-Length parsing in inets httpd |
|
CVE-2026-23941 | 13 March 2026 | 07 April 2026 |
| Pre-auth SSH DoS via unbounded zlib inflate |
|
CVE-2026-23943 | 13 March 2026 | 07 April 2026 |
| SFTP root escape via component-agnostic prefix check in ssh_sftpd |
|
CVE-2026-23942 | 13 March 2026 | 07 April 2026 |
| Path Traversal in wisp.serve_static allows arbitrary file read |
|
CVE-2026-28807 | 10 March 2026 | 06 April 2026 |
| Improper authorization in device bulk actions and device update API allows cross-organization device control |
|
CVE-2026-28806 | 10 March 2026 | 06 April 2026 |
| Password Reset Tokens Do Not Expire |
|
CVE-2026-21622 | 05 March 2026 | 06 April 2026 |
| Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access |
|
CVE-2026-21621 | 05 March 2026 | 06 April 2026 |
| Unsafe Deserialization of Erlang Terms in hex_core |
|
CVE-2026-21619 | 27 February 2026 | 06 April 2026 |
| Path Traversal in Local File Store Backend |
|
CVE-2026-23939 | 26 February 2026 | 07 April 2026 |
| TFTP Path Traversal |
|
CVE-2026-21620 | 20 February 2026 | 07 April 2026 |
| Cross-site scripting (XSS) in OAuth Device Authorization screen |
|
CVE-2026-21618 | 19 January 2026 | 06 April 2026 |
| Authorization bypass when bypass policy condition evaluates to true |
|
CVE-2025-48044 | 17 October 2025 | 06 April 2026 |
| Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization |
|
CVE-2025-48043 | 10 October 2025 | 06 April 2026 |
| SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles |
|
CVE-2025-48041 | 11 September 2025 | 07 April 2026 |
| Malicious Key Exchange Messages may Lead to Excessive Resource Consumption |
|
CVE-2025-48040 | 11 September 2025 | 06 April 2026 |
| Unverified Paths can Cause Excessive Use of System Resources |
|
CVE-2025-48039 | 11 September 2025 | 07 April 2026 |
| Unverified File Handles can Cause Excessive Use of System Resources |
|
CVE-2025-48038 | 11 September 2025 | 07 April 2026 |
| Before action hooks may execute in certain scenarios despite a request being forbidden |
|
CVE-2025-48042 | 07 September 2025 | 06 April 2026 |
| Missing Session Revocation on Logout in ash_authentication_phoenix |
|
CVE-2025-4754 | 17 June 2025 | 06 April 2026 |
| Absolute path traversal in zip:unzip/1,2 |
|
CVE-2025-4748 | 16 June 2025 | 06 April 2026 |
CVE’s can also be requested as a JSON: GET /cves/index.json
OSV records can also be requested as a JSON: GET /osv/all.json