31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 501–550 of 8,314 in Critical · page 11 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-42601 | CVE-2026-42601 CVSS 9.8 | ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config J… |
| CVE-2026-42596 | CVE-2026-42596 CVSS 9.4 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature… |
| CVE-2026-42589 | CVE-2026-42589 CVSS 9.8 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata … |
| CVE-2026-42584 | CVE-2026-42584 CVSS 9.1 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with… |
| CVE-2026-42581 | CVE-2026-42581 CVSS 9.8 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-L… |
| CVE-2026-42579 | CVE-2026-42579 CVSS 9.1 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 doma… |
| CVE-2026-4257 | CVE-2026-4257 CVSS 9.8 | The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all version… |
| CVE-2026-42569 | CVE-2026-42569 CVSS 9.4 | phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a lega… |
| CVE-2026-42560 | CVE-2026-42560 CVSS 9.1 | auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps eve… |
| CVE-2026-42556 | CVE-2026-42556 CVSS 9.0 | Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HT… |
| CVE-2026-42555 | CVE-2026-42555 CVSS 9.1 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.… |
| CVE-2026-4254 | CVE-2026-4254 CVSS 9.8 | A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the … |
| CVE-2026-42523 | CVE-2026-42523 CVSS 9.0 | Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook tri… |
| CVE-2026-4252 | CVE-2026-4252 CVSS 9.8 | A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation l… |
| CVE-2026-42508 | CVE-2026-42508 CVSS 9.1 | Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @re… |
| CVE-2026-42484 | CVE-2026-42484 CVSS 9.8 | A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute ar… |
| CVE-2026-42483 | CVE-2026-42483 CVSS 9.8 | A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code v… |
| CVE-2026-42482 | CVE-2026-42482 CVSS 9.8 | A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of serv… |
| CVE-2026-42473 | CVE-2026-42473 CVSS 9.8 | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from the filesystem in the F… |
| CVE-2026-42472 | CVE-2026-42472 CVSS 9.8 | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The session and cache handlers use unserialize() on data from Redis in the RedisHandl… |
| CVE-2026-42457 | CVE-2026-42457 CVSS 9.0 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.… |
| CVE-2026-42454 | CVE-2026-42454 CVSS 9.9 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container mana… |
| CVE-2026-42376 | CVE-2026-42376 CVSS 9.8 | D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80tel… |
| CVE-2026-42370 | CVE-2026-42370 CVSS 9.0geovision | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an … |
| CVE-2026-42369 | CVE-2026-42369 CVSS 10.0 | GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application a… |
| CVE-2026-42368 | CVE-2026-42368 CVSS 9.9geovision | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to … |
| CVE-2026-42363 | CVE-2026-42363 CVSS 9.3 | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast pack… |
| CVE-2026-42354 | CVE-2026-42354 CVSS 9.8 | Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML… |
| CVE-2026-42302 | CVE-2026-42302 CVSS 9.8 | FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticat… |
| CVE-2026-42298 | CVE-2026-42298 CVSS 10.0gitroom | Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github… |
| CVE-2026-42288 | CVE-2026-42288 CVSS 10.0 | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vu… |
| CVE-2026-42284 | CVE-2026-42284 CVSS 9.8 | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then exec… |
| CVE-2026-4228 | CVE-2026-4228 CVSS 9.8 | A vulnerability was detected in LB-LINK BL-WR9000 2.4.9. This affects the function sub_458754 of the file /goform/set_wifi. The manipulation results in command… |
| CVE-2026-42264 | CVE-2026-42264 CVSS 9.1 | Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPa… |
| CVE-2026-4226 | CVE-2026-4226 CVSS 9.8 | A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a man… |
| CVE-2026-42258 | CVE-2026-42258 CVSS 9.8 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to com… |
| CVE-2026-42257 | CVE-2026-42257 CVSS 9.8 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP comma… |
| CVE-2026-42249 | CVE-2026-42249 CVSS 9.8 | Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers… |
| CVE-2026-42248 | CVE-2026-42248 CVSS 9.8 | Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation… |
| CVE-2026-42238 | CVE-2026-42238 CVSS 9.8 | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is compl… |
| CVE-2026-42235 | CVE-2026-42235 CVSS 9.6 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP … |
| CVE-2026-42233 | CVE-2026-42233 CVSS 9.8 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allow… |
| CVE-2026-4223 | CVE-2026-4223 CVSS 9.8 | A vulnerability was identified in itsourcecode Payroll Management System 1.0. This issue affects some unknown processing of the file /manage_employee.php. Such… |
| CVE-2026-42222 | CVE-2026-42222 CVSS 9.8 | Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial instal… |
| CVE-2026-42221 | CVE-2026-42221 CVSS 9.8 | Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initia… |
| CVE-2026-42217 | CVE-2026-42217 CVSS 9.8 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions … |
| CVE-2026-42216 | CVE-2026-42216 CVSS 9.1 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions … |
| CVE-2026-42208 | BerriAI LiteLLM SQL Injection Vulnerability KEVCVSS 9.8BerriAI | BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to una… |
| CVE-2026-42193 | CVE-2026-42193 CVSS 9.1 | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads fro… |
| CVE-2026-4214 | CVE-2026-4214 CVSS 9.8 | A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS… |