31,200 indexed
CVECVE vulnerabilities
31,200 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 51–100 of 8,314 in Critical · page 2 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-8603 | CVE-2026-8603 CVSS 9.8 | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. |
| CVE-2026-8602 | CVE-2026-8602 CVSS 9.1 | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to t… |
| CVE-2026-8598 | CVE-2026-8598 CVSS 9.1 | An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical… |
| CVE-2026-8580 | CVE-2026-8580 CVSS 9.6 | Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chr… |
| CVE-2026-8511 | CVE-2026-8511 CVSS 9.6 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chrom… |
| CVE-2026-8507 | CVE-2026-8507 CVSS 9.8 | Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT S… |
| CVE-2026-8500 | CVE-2026-8500 CVSS 9.8 | Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command… |
| CVE-2026-8495 | CVE-2026-8495 CVSS 9.8 | Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15. |
| CVE-2026-8401 | CVE-2026-8401 CVSS 9.8 | Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11. |
| CVE-2026-8398 | Daemon Tools Lite Embedded Malicious Code Vulnerability KEVCVSS 9.8Daemon | Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability. |
| CVE-2026-8305 | CVE-2026-8305 CVSS 9.8 | A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbl… |
| CVE-2026-8263 | CVE-2026-8263 CVSS 9.8 | A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of th… |
| CVE-2026-8181 | CVE-2026-8181 CVSS 9.8 | The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versi… |
| CVE-2026-8153 | CVE-2026-8153 CVSS 9.8 | OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands tha… |
| CVE-2026-8094 | CVE-2026-8094 CVSS 9.8 | Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2. |
| CVE-2026-8091 | CVE-2026-8091 CVSS 9.8 | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thund… |
| CVE-2026-8043 | CVE-2026-8043 CVSS 9.6 | External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HT… |
| CVE-2026-8034 | CVE-2026-8034 CVSS 9.8 | A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal s… |
| CVE-2026-7910 | CVE-2026-7910 CVSS 9.6 | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via… |
| CVE-2026-7908 | CVE-2026-7908 CVSS 9.6 | Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.… |
| CVE-2026-7854 | CVE-2026-7854 CVSS 9.8 | A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp … |
| CVE-2026-7853 | CVE-2026-7853 CVSS 9.8 | A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This … |
| CVE-2026-7834 | CVE-2026-7834 CVSS 9.8 | A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.c… |
| CVE-2026-7823 | CVE-2026-7823 CVSS 9.8 | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The man… |
| CVE-2026-7821 | CVE-2026-7821 CVSS 9.1 | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device bel… |
| CVE-2026-7813 | CVE-2026-7813 CVSS 9.9 | Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple en… |
| CVE-2026-7747 | CVE-2026-7747 CVSS 9.8 | A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.c… |
| CVE-2026-7719 | CVE-2026-7719 CVSS 9.8 | A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of … |
| CVE-2026-7690 | CVE-2026-7690 CVSS 9.8 | A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manip… |
| CVE-2026-7637 | CVE-2026-7637 CVSS 9.8 | The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYX… |
| CVE-2026-7567 | CVE-2026-7567 CVSS 9.8 | The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation… |
| CVE-2026-7546 | CVE-2026-7546 CVSS 9.8 | A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. The impacted element is the function find_host_ip of the component lightt… |
| CVE-2026-7538 | CVE-2026-7538 CVSS 9.8 | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the c… |
| CVE-2026-7482 | CVE-2026-7482 CVSS 9.1 | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file… |
| CVE-2026-7458 | CVE-2026-7458 CVSS 9.8 | The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to t… |
| CVE-2026-7415 | CVE-2026-7415 CVSS 9.8 | The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same net… |
| CVE-2026-7414 | CVE-2026-7414 CVSS 9.8 | Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running … |
| CVE-2026-7413 | CVE-2026-7413 CVSS 9.8 | A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functiona… |
| CVE-2026-7411 | CVE-2026-7411 CVSS 10.0 | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote … |
| CVE-2026-7381 | CVE-2026-7381 CVSS 9.1 | Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation se… |
| CVE-2026-7374 | CVE-2026-7374 CVSS 9.9 | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to… |
| CVE-2026-7372 | CVE-2026-7372 CVSS 9.0 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an … |
| CVE-2026-7333 | CVE-2026-7333 CVSS 9.6 | Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chro… |
| CVE-2026-7321 | CVE-2026-7321 CVSS 9.6 | Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox … |
| CVE-2026-7304 | CVE-2026-7304 CVSS 9.8 | SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Pyt… |
| CVE-2026-7302 | CVE-2026-7302 CVSS 9.1 | SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere … |
| CVE-2026-7301 | CVE-2026-7301 CVSS 9.8 | SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages,… |
| CVE-2026-7284 | CVE-2026-7284 CVSS 9.8 | The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions u… |
| CVE-2026-7261 | CVE-2026-7261 CVSS 9.8 | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESS… |
| CVE-2026-7251 | CVE-2026-7251 CVSS 9.8 | Eppendorf BioFlo 320 is vulnerable due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with r… |