31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,051–1,100 of 8,314 in Critical · page 22 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-33615 | CVE-2026-33615 CVSS 9.1 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special… |
| CVE-2026-33608 | CVE-2026-33608 CVSS 9.8 | An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration t… |
| CVE-2026-33598 | CVE-2026-33598 CVSS 9.1 | A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. |
| CVE-2026-33587 | CVE-2026-33587 CVSS 10.0 | Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker contain… |
| CVE-2026-33579 | CVE-2026-33579 CVSS 9.9 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core app… |
| CVE-2026-33557 | CVE-2026-33557 CVSS 9.1 | A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.a… |
| CVE-2026-33519 | CVE-2026-33519 CVSS 9.8 | An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check per… |
| CVE-2026-33516 | CVE-2026-33516 CVSS 9.1 | xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase. The issue occu… |
| CVE-2026-33511 | CVE-2026-33511 CVSS 9.8 | pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's… |
| CVE-2026-33494 | CVE-2026-33494 CVSS 10.0 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior … |
| CVE-2026-33478 | CVE-2026-33478 CVSS 10.0 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to all… |
| CVE-2026-33475 | CVE-2026-33475 CVSS 9.1 | Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHu… |
| CVE-2026-33471 | CVE-2026-33471 CVSS 9.6 | nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then … |
| CVE-2026-33466 | CVE-2026-33466 CVSS 9.8 | Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Rel… |
| CVE-2026-33454 | CVE-2026-33454 CVSS 9.4 | The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) on… |
| CVE-2026-33453 | CVE-2026-33453 CVSS 10.0 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap c… |
| CVE-2026-33447 | CVE-2026-33447 CVSS 9.8 | CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can… |
| CVE-2026-33446 | CVE-2026-33446 CVSS 9.8 | CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server … |
| CVE-2026-33439 | CVE-2026-33439 CVSS 9.8 | Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code … |
| CVE-2026-33432 | CVE-2026-33432 CVSS 9.1 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is ena… |
| CVE-2026-33409 | CVE-2026-33409 CVSS 9.1 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authent… |
| CVE-2026-33407 | CVE-2026-33407 CVSS 9.1 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_P… |
| CVE-2026-33396 | CVE-2026-33396 CVSS 9.9 | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve re… |
| CVE-2026-33352 | CVE-2026-33352 CVSS 9.8 | WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `ge… |
| CVE-2026-33351 | CVE-2026-33351 CVSS 9.1 | WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/… |
| CVE-2026-33340 | CVE-2026-33340 CVSS 9.1 | LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability ha… |
| CVE-2026-33334 | CVE-2026-33334 CVSS 9.6 | Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper ena… |
| CVE-2026-33322 | CVE-2026-33322 CVSS 9.8 | MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerab… |
| CVE-2026-33309 | CVE-2026-33309 CVSS 9.9 | Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (Exte… |
| CVE-2026-33297 | CVE-2026-33297 CVSS 9.1 | WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to s… |
| CVE-2026-33289 | CVE-2026-33289 CVSS 9.8 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection… |
| CVE-2026-33286 | CVE-2026-33286 CVSS 9.1 | Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execu… |
| CVE-2026-33280 | CVE-2026-33280 CVSS 9.8 | Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, result… |
| CVE-2026-33278 | CVE-2026-33278 CVSS 9.8 | NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote cod… |
| CVE-2026-33265 | CVE-2026-33265 CVSS 9.0 | In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API. |
| CVE-2026-33229 | CVE-2026-33229 CVSS 9.8 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected s… |
| CVE-2026-33228 | CVE-2026-33228 CVSS 9.8 | flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as di… |
| CVE-2026-33211 | CVE-2026-33211 CVSS 9.6 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1,… |
| CVE-2026-33210 | CVE-2026-33210 CVSS 9.1 | Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can… |
| CVE-2026-33202 | CVE-2026-33202 CVSS 9.1 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskServi… |
| CVE-2026-33195 | CVE-2026-33195 CVSS 9.8 | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskServi… |
| CVE-2026-33186 | CVE-2026-33186 CVSS 9.1 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2… |
| CVE-2026-33183 | CVE-2026-33183 CVSS 9.1 | Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under th… |
| CVE-2026-33131 | CVE-2026-33131 CVSS 9.1 | H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastUR… |
| CVE-2026-33128 | CVE-2026-33128 CVSS 10.0 | H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE… |
| CVE-2026-33122 | CVE-2026-33122 CVSS 9.8 | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource up… |
| CVE-2026-33117 | CVE-2026-33117 CVSS 9.1 | The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison wa… |
| CVE-2026-33109 | CVE-2026-33109 CVSS 9.9 | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. |
| CVE-2026-33107 | CVE-2026-33107 CVSS 9.8 | Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-33105 | CVE-2026-33105 CVSS 9.8 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. |