31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,151–1,200 of 8,314 in Critical · page 24 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-32731 | CVE-2026-32731 CVSS 9.9 | ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` c… |
| CVE-2026-32714 | CVE-2026-32714 CVSS 9.8 | SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection be… |
| CVE-2026-32710 | CVE-2026-32710 CVSS 9.9 | MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a… |
| CVE-2026-3271 | CVE-2026-3271 CVSS 9.8 | A vulnerability was found in Tenda F453 1.0.0.3. This impacts the function fromP2pListFilter of the file /goform/P2pListFilterof of the component httpd. The ma… |
| CVE-2026-32669 | CVE-2026-32669 CVSS 9.8 | Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products. |
| CVE-2026-32661 | CVE-2026-32661 CVSS 9.8 | Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a sp… |
| CVE-2026-3266 | CVE-2026-3266 CVSS 9.8 | Missing Authorization vulnerability in OpenText™ Filr allows Authentication Bypass. The vulnerability could allow unauthenticated users to get XSRF token and d… |
| CVE-2026-32644 | CVE-2026-32644 CVSS 9.8 | Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. |
| CVE-2026-32640 | CVE-2026-32640 CVSS 9.8 | SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through… |
| CVE-2026-32635 | CVE-2026-32635 CVSS 9.0 | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.… |
| CVE-2026-32633 | CVE-2026-32633 CVSS 9.1 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw… |
| CVE-2026-32626 | CVE-2026-32626 CVSS 9.6 | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM … |
| CVE-2026-32621 | CVE-2026-32621 CVSS 9.9 | Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability… |
| CVE-2026-32613 | CVE-2026-32613 CVSS 9.9 | Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process informa… |
| CVE-2026-32611 | CVE-2026-32611 CVSS 9.1 | Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by… |
| CVE-2026-3261 | CVE-2026-3261 CVSS 9.8 | A flaw has been found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /settings/index.php of the component Setting H… |
| CVE-2026-32604 | CVE-2026-32604 CVSS 9.9 | Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute… |
| CVE-2026-32573 | CVE-2026-32573 CVSS 9.1 | Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue af… |
| CVE-2026-3257 | CVE-2026-3257 CVSS 9.8 | UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library. UnQLite for Perl embeds the UnQLite library. Version 0.06 … |
| CVE-2026-3256 | CVE-2026-3256 CVSS 9.8 | HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to ge… |
| CVE-2026-32539 | CVE-2026-32539 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Bl… |
| CVE-2026-32536 | CVE-2026-32536 CVSS 9.9 | Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This iss… |
| CVE-2026-32525 | CVE-2026-32525 CVSS 9.9 | Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects J… |
| CVE-2026-32524 | CVE-2026-32524 CVSS 9.1 | Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects… |
| CVE-2026-32523 | CVE-2026-32523 CVSS 9.9 | Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM Basic wpjam-basic allows Using Malicious Files.This issue affects WPJAM Basic: … |
| CVE-2026-32520 | CVE-2026-32520 CVSS 9.8 | Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n… |
| CVE-2026-32519 | CVE-2026-32519 CVSS 9.0 | Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2. |
| CVE-2026-32512 | CVE-2026-32512 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pe… |
| CVE-2026-32502 | CVE-2026-32502 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: … |
| CVE-2026-32499 | CVE-2026-32499 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.T… |
| CVE-2026-32482 | CVE-2026-32482 CVSS 9.9 | Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a t… |
| CVE-2026-32367 | CVE-2026-32367 CVSS 9.1 | Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue a… |
| CVE-2026-32311 | CVE-2026-32311 CVSS 9.8 | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to cre… |
| CVE-2026-32306 | CVE-2026-32306 CVSS 9.9 | OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, a… |
| CVE-2026-32304 | CVE-2026-32304 CVSS 9.8 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes … |
| CVE-2026-32301 | CVE-2026-32301 CVSS 9.3 | Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configure… |
| CVE-2026-32298 | CVE-2026-32298 CVSS 9.1 | The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level co… |
| CVE-2026-32275 | CVE-2026-32275 CVSS 9.1 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback para… |
| CVE-2026-32267 | CVE-2026-32267 CVSS 9.8 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-priv… |
| CVE-2026-32260 | CVE-2026-32260 CVSS 9.8 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill… |
| CVE-2026-32253 | CVE-2026-32253 CVSS 9.8 | Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because o… |
| CVE-2026-32248 | CVE-2026-32248 CVSS 9.8 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated … |
| CVE-2026-3224 | CVE-2026-3224 CVSS 9.8 | Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to … |
| CVE-2026-32238 | CVE-2026-32238 CVSS 9.1 | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection … |
| CVE-2026-32232 | CVE-2026-32232 CVSS 9.8 | ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypas… |
| CVE-2026-32213 | CVE-2026-32213 CVSS 9.8 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-32194 | CVE-2026-32194 CVSS 9.8 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code ov… |
| CVE-2026-32191 | CVE-2026-32191 CVSS 9.8 | Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute … |
| CVE-2026-32186 | CVE-2026-32186 CVSS 9.8 | Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-32169 | CVE-2026-32169 CVSS 9.8 | Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network. |