31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,201–1,250 of 8,314 in Critical · page 25 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-32136 | CVE-2026-32136 CVSS 9.8 | AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in A… |
| CVE-2026-32133 | CVE-2026-32133 CVSS 9.1 | 2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in … |
| CVE-2026-32118 | CVE-2026-32118 CVSS 9.0 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in… |
| CVE-2026-3207 | CVE-2026-3207 CVSS 9.8 | Configuration issue in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access. |
| CVE-2026-32064 | CVE-2026-32064 CVSS 9.1 | OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated ac… |
| CVE-2026-32056 | CVE-2026-32056 CVSS 9.8 | OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to by… |
| CVE-2026-32052 | CVE-2026-32052 CVSS 9.8 | OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands… |
| CVE-2026-32048 | CVE-2026-32048 CVSS 9.9 | OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create chi… |
| CVE-2026-32046 | CVE-2026-32046 CVSS 9.8 | OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting rend… |
| CVE-2026-32045 | CVE-2026-32045 CVSS 9.1 | OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password … |
| CVE-2026-3204 | CVE-2026-3204 CVSS 9.8 | Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message v… |
| CVE-2026-32038 | CVE-2026-32038 CVSS 9.0 | OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace… |
| CVE-2026-31986 | CVE-2026-31986 CVSS 9.1 | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to vers… |
| CVE-2026-31976 | CVE-2026-31976 CVSS 9.8 | xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (… |
| CVE-2026-31975 | CVE-2026-31975 CVSS 9.8 | Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSock… |
| CVE-2026-31972 | CVE-2026-31972 CVSS 9.8 | SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned aga… |
| CVE-2026-31967 | CVE-2026-31967 CVSS 9.1 | HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_dec… |
| CVE-2026-31966 | CVE-2026-31966 CVSS 9.1 | HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of… |
| CVE-2026-31957 | CVE-2026-31957 CVSS 10.0 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured ten… |
| CVE-2026-31946 | CVE-2026-31946 CVSS 9.8 | OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, Op… |
| CVE-2026-31920 | CVE-2026-31920 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce pro… |
| CVE-2026-31908 | CVE-2026-31908 CVSS 9.1 | Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. … |
| CVE-2026-31900 | CVE-2026-31900 CVSS 9.8 | Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for… |
| CVE-2026-31897 | CVE-2026-31897 CVSS 9.1 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSi… |
| CVE-2026-31896 | CVE-2026-31896 CVSS 9.8 | WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover… |
| CVE-2026-31885 | CVE-2026-31885 CVSS 9.4 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unch… |
| CVE-2026-31883 | CVE-2026-31883 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap… |
| CVE-2026-31881 | CVE-2026-31881 CVSS 9.8 | Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset reques… |
| CVE-2026-31877 | CVE-2026-31877 CVSS 9.8 | Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL inje… |
| CVE-2026-31874 | CVE-2026-31874 CVSS 9.8 | Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate … |
| CVE-2026-31871 | CVE-2026-31871 CVSS 9.8 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vuln… |
| CVE-2026-3187 | CVE-2026-3187 CVSS 9.8 | A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys… |
| CVE-2026-31856 | CVE-2026-31856 CVSS 9.8 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL … |
| CVE-2026-31852 | CVE-2026-31852 CVSS 9.8 | Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pu… |
| CVE-2026-31851 | CVE-2026-31851 CVSS 9.8 | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. A… |
| CVE-2026-31848 | CVE-2026-31848 CVSS 9.8 | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data comb… |
| CVE-2026-31845 | CVE-2026-31845 CVSS 9.3 | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarm… |
| CVE-2026-31843 | CVE-2026-31843 CVSS 9.8 | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated att… |
| CVE-2026-31840 | CVE-2026-31840 CVSS 9.8 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use … |
| CVE-2026-31818 | CVE-2026-31818 CVSS 9.9 | Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource … |
| CVE-2026-31816 | CVE-2026-31816 CVSS 9.1 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware … |
| CVE-2026-31806 | CVE-2026-31806 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent… |
| CVE-2026-31800 | CVE-2026-31800 CVSS 9.1 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig … |
| CVE-2026-31789 | CVE-2026-31789 CVSS 9.8 | Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary:… |
| CVE-2026-31718 | CVE-2026-31718 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file… |
| CVE-2026-31705 | CVE-2026-31705 CVSS 9.8linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte… |
| CVE-2026-31685 | CVE-2026-31685 CVSS 9.4linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a … |
| CVE-2026-31682 | CVE-2026-31682 CVSS 9.1 | In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour… |
| CVE-2026-31669 | CVE-2026-31669 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are l… |
| CVE-2026-31668 | CVE-2026-31668 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel us… |