31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 951–1,000 of 8,314 in Critical · page 20 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-34456 | CVE-2026-34456 CVSS 9.8 | Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26… |
| CVE-2026-34449 | CVE-2026-34449 CVSS 9.6 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running Si… |
| CVE-2026-34448 | CVE-2026-34448 CVSS 9.0 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigge… |
| CVE-2026-34444 | CVE-2026-34444 CVSS 10.0 | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed thro… |
| CVE-2026-34430 | CVE-2026-34430 CVSS 9.6 | ByteDance DeerFlow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary com… |
| CVE-2026-34424 | CVE-2026-34424 CVSS 9.8 | Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that all… |
| CVE-2026-34415 | CVE-2026-34415 CVSS 9.8 | Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP… |
| CVE-2026-34408 | CVE-2026-34408 CVSS 9.1 | An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrar… |
| CVE-2026-34400 | CVE-2026-34400 CVSS 9.8 | Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which buil… |
| CVE-2026-34387 | CVE-2026-34387 CVSS 9.8 | Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker t… |
| CVE-2026-34374 | CVE-2026-34374 CVSS 9.1 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpola… |
| CVE-2026-34361 | CVE-2026-34361 CVSS 9.3 | HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP servic… |
| CVE-2026-34359 | CVE-2026-34359 CVSS 9.1 | HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServe… |
| CVE-2026-34352 | CVE-2026-34352 CVSS 8.5tigervnc | In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of … |
| CVE-2026-3432 | CVE-2026-3432 CVSS 9.1 | On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `cred… |
| CVE-2026-3431 | CVE-2026-3431 CVSS 9.8 | On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrict… |
| CVE-2026-34287 | CVE-2026-34287 CVSS 9.1 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.… |
| CVE-2026-34286 | CVE-2026-34286 CVSS 9.1 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.… |
| CVE-2026-34285 | CVE-2026-34285 CVSS 9.1 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.… |
| CVE-2026-34279 | CVE-2026-34279 CVSS 9.1 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are a… |
| CVE-2026-34275 | CVE-2026-34275 CVSS 9.8 | Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are a… |
| CVE-2026-34263 | CVE-2026-34263 CVSS 9.6 | Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary s… |
| CVE-2026-34260 | CVE-2026-34260 CVSS 9.6 | SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements th… |
| CVE-2026-34243 | CVE-2026-34243 CVSS 9.8 | wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow… |
| CVE-2026-34236 | CVE-2026-34236 CVSS 9.8 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK,… |
| CVE-2026-34235 | CVE-2026-34235 CVSS 9.1 | PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's… |
| CVE-2026-34234 | CVE-2026-34234 CVSS 10.0 | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerabl… |
| CVE-2026-34221 | CVE-2026-34221 CVSS 9.1 | MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollutio… |
| CVE-2026-34220 | CVE-2026-34220 CVSS 9.8 | MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injec… |
| CVE-2026-3422 | CVE-2026-3422 CVSS 9.8 | U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on t… |
| CVE-2026-34208 | CVE-2026-34208 CVSS 10.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this p… |
| CVE-2026-34205 | CVE-2026-34205 CVSS 9.6 | Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host n… |
| CVE-2026-34187 | CVE-2026-34187 CVSS 9.8 | Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora… |
| CVE-2026-34184 | CVE-2026-34184 CVSS 9.1 | Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and… |
| CVE-2026-34179 | CVE-2026-34179 CVSS 9.1 | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH re… |
| CVE-2026-34178 | CVE-2026-34178 CVSS 9.1 | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instan… |
| CVE-2026-34177 | CVE-2026-34177 CVSS 9.1 | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.appa… |
| CVE-2026-34162 | CVE-2026-34162 CVSS 10.0 | FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed witho… |
| CVE-2026-34159 | CVE-2026-34159 CVSS 9.8 | llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a ten… |
| CVE-2026-34156 | CVE-2026-34156 CVSS 9.9 | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow S… |
| CVE-2026-3413 | CVE-2026-3413 CVSS 9.8 | A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This man… |
| CVE-2026-3411 | CVE-2026-3411 CVSS 9.8 | A security vulnerability has been detected in itsourcecode University Management System 1.0. Affected by this issue is some unknown functionality of the file /… |
| CVE-2026-3410 | CVE-2026-3410 CVSS 9.8 | A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/che… |
| CVE-2026-34084 | CVE-2026-34084 CVSS 9.8 | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through… |
| CVE-2026-34078 | CVE-2026-34078 CVSS 10.0 | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can… |
| CVE-2026-34060 | CVE-2026-34060 CVSS 9.8shopify | Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branc… |
| CVE-2026-3406 | CVE-2026-3406 CVSS 9.8 | A vulnerability was found in projectworlds Online Art Gallery Shop 1.0. The impacted element is an unknown function of the file /admin/registration.php of the … |
| CVE-2026-34045 | CVE-2026-34045 CVSS 9.1 | Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allow… |
| CVE-2026-34041 | CVE-2026-34041 CVSS 9.8 | act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-… |
| CVE-2026-34018 | CVE-2026-34018 CVSS 9.8 | An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. |