31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 601–650 of 8,314 in Critical · page 13 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-41635 | CVE-2026-41635 CVSS 9.8 | Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypas… |
| CVE-2026-4163 | CVE-2026-4163 CVSS 9.8 | A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component… |
| CVE-2026-41589 | CVE-2026-41589 CVSS 9.6 | Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vu… |
| CVE-2026-41583 | CVE-2026-41583 CVSS 9.1 | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to val… |
| CVE-2026-41574 | CVE-2026-41574 CVSS 9.8 | Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost a… |
| CVE-2026-41571 | CVE-2026-41571 CVSS 9.4 | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") place… |
| CVE-2026-41553 | CVE-2026-41553 CVSS 10.0 | PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthe… |
| CVE-2026-41551 | CVE-2026-41551 CVSS 9.1 | A vulnerability has been identified in ROS# (All versions < V2.2.2). Affected versions contain a path traversal vulnerability because user input is not properl… |
| CVE-2026-41512 | CVE-2026-41512 CVSS 9.9 | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via … |
| CVE-2026-41509 | CVE-2026-41509 CVSS 9.8 | CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer… |
| CVE-2026-41507 | CVE-2026-41507 CVSS 9.8 | math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new … |
| CVE-2026-41501 | CVE-2026-41501 CVSS 9.8 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in g… |
| CVE-2026-41500 | CVE-2026-41500 CVSS 9.8 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in g… |
| CVE-2026-41497 | CVE-2026-41497 CVSS 9.8 | PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument vali… |
| CVE-2026-41492 | CVE-2026-41492 CVSS 9.8 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoi… |
| CVE-2026-4149 | CVE-2026-4149 CVSS 9.8 | Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on af… |
| CVE-2026-41478 | CVE-2026-41478 CVSS 9.9 | Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcor… |
| CVE-2026-41475 | CVE-2026-41475 CVSS 9.1 | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's Write… |
| CVE-2026-41473 | CVE-2026-41473 CVSS 9.1 | CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote att… |
| CVE-2026-41462 | CVE-2026-41462 CVSS 9.8 | ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly co… |
| CVE-2026-41460 | CVE-2026-41460 CVSS 9.8 | SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via … |
| CVE-2026-41446 | CVE-2026-41446 CVSS 9.8 | Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address … |
| CVE-2026-41428 | CVE-2026-41428 CVSS 9.1 | Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpo… |
| CVE-2026-41415 | CVE-2026-41415 CVSS 9.1 | PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Con… |
| CVE-2026-41409 | CVE-2026-41409 CVSS 9.8 | The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applie… |
| CVE-2026-41397 | CVE-2026-41397 CVSS 9.6 | OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file … |
| CVE-2026-41386 | CVE-2026-41386 CVSS 9.8 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pa… |
| CVE-2026-41329 | CVE-2026-41329 CVSS 9.9 | OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner… |
| CVE-2026-41328 | CVE-2026-41328 CVSS 9.1 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full re… |
| CVE-2026-41327 | CVE-2026-41327 CVSS 9.1 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full re… |
| CVE-2026-41323 | CVE-2026-41323 CVSS 9.1 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall featur… |
| CVE-2026-41304 | CVE-2026-41304 CVSS 9.8 | WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands… |
| CVE-2026-41293 | CVE-2026-41293 CVSS 9.8 | Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, fr… |
| CVE-2026-41276 | CVE-2026-41276 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass a… |
| CVE-2026-41274 | CVE-2026-41274 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided inp… |
| CVE-2026-41268 | CVE-2026-41268 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated re… |
| CVE-2026-41267 | CVE-2026-41267 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerabi… |
| CVE-2026-41265 | CVE-2026-41265 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the … |
| CVE-2026-41264 | CVE-2026-41264 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the … |
| CVE-2026-41258 | CVE-2026-41258 CVSS 9.1 | OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() … |
| CVE-2026-41248 | CVE-2026-41248 CVSS 9.1 | Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypa… |
| CVE-2026-41247 | CVE-2026-41247 CVSS 9.8 | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in… |
| CVE-2026-41242 | CVE-2026-41242 CVSS 9.8 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type… |
| CVE-2026-41229 | CVE-2026-41229 CVSS 9.1 | Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP st… |
| CVE-2026-41228 | CVE-2026-41228 CVSS 9.9 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not valid… |
| CVE-2026-41225 | CVE-2026-41225 CVSS 9.1 | A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that … |
| CVE-2026-41211 | CVE-2026-41211 CVSS 10.0 | Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and… |
| CVE-2026-41201 | CVE-2026-41201 CVSS 9.1 | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4… |
| CVE-2026-41196 | CVE-2026-41196 CVSS 10.0 | Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially… |
| CVE-2026-41193 | CVE-2026-41193 CVSS 9.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without v… |