31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,401–1,450 of 8,314 in Critical · page 29 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-30281 | CVE-2026-30281 CVSS 9.8 | An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to… |
| CVE-2026-30278 | CVE-2026-30278 CVSS 9.8 | An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.33 allows attackers to overwrite critical internal files via the file import pr… |
| CVE-2026-30276 | CVE-2026-30276 CVSS 9.8 | An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite critical internal files via the file import proces… |
| CVE-2026-30269 | CVE-2026-30269 CVSS 9.9 | Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platfor… |
| CVE-2026-3025 | CVE-2026-3025 CVSS 9.8 | A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP… |
| CVE-2026-30232 | CVE-2026-30232 CVSS 9.6 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows… |
| CVE-2026-30118 | CVE-2026-30118 CVSS 9.8 | scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulner… |
| CVE-2026-30117 | CVE-2026-30117 CVSS 9.8 | scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This … |
| CVE-2026-30079 | CVE-2026-30079 CVSS 9.8 | In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be b… |
| CVE-2026-3000 | CVE-2026-3000 CVSS 9.8 | IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to … |
| CVE-2026-2999 | CVE-2026-2999 CVSS 9.8 | IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to … |
| CVE-2026-29861 | CVE-2026-29861 CVSS 9.8 | PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. |
| CVE-2026-29859 | CVE-2026-29859 CVSS 9.8 | An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file. |
| CVE-2026-2983 | CVE-2026-2983 CVSS 9.8 | A vulnerability was determined in SourceCodester Student Result Management System 1.0. The impacted element is an unknown function of the file /admin/core/impo… |
| CVE-2026-29796 | CVE-2026-29796 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the bac… |
| CVE-2026-29793 | CVE-2026-29793 CVSS 9.8 | Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can s… |
| CVE-2026-29792 | CVE-2026-29792 CVSS 9.8 | Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attac… |
| CVE-2026-29649 | CVE-2026-29649 CVSS 9.8 | NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated ba… |
| CVE-2026-29646 | CVE-2026-29646 CVSS 9.8 | In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie… |
| CVE-2026-2964 | CVE-2026-2964 CVSS 9.8 | A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the compone… |
| CVE-2026-2954 | CVE-2026-2954 CVSS 9.8 | A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the compone… |
| CVE-2026-2953 | CVE-2026-2953 CVSS 9.1 | A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the comp… |
| CVE-2026-2952 | CVE-2026-2952 CVSS 9.8 | A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. T… |
| CVE-2026-29515 | CVE-2026-29515 CVSS 9.8 | MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without… |
| CVE-2026-2944 | CVE-2026-2944 CVSS 9.8 | A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php … |
| CVE-2026-2942 | CVE-2026-2942 CVSS 9.8 | The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' fu… |
| CVE-2026-29204 | CVE-2026-29204 CVSS 9.1 | Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownersh… |
| CVE-2026-29198 | CVE-2026-29198 CVSS 9.8 | In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the firs… |
| CVE-2026-29191 | CVE-2026-29191 CVSS 9.3 | ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allow… |
| CVE-2026-29186 | CVE-2026-29186 CVSS 9.8 | Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary cod… |
| CVE-2026-29145 | CVE-2026-29145 CVSS 9.1 | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This … |
| CVE-2026-29143 | CVE-2026-29143 CVSS 9.1 | SEPPmail Secure Email Gateway before version 15.0.3 does not properly authenticate the inner message of S/MIME-encrypted MIME entities, allowing an attacker to… |
| CVE-2026-29139 | CVE-2026-29139 CVSS 9.8 | SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password. |
| CVE-2026-29133 | CVE-2026-29133 CVSS 9.1 | SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address. |
| CVE-2026-29128 | CVE-2026-29128 CVSS 10.0 | IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are own… |
| CVE-2026-2912 | CVE-2026-2912 CVSS 9.8 | A vulnerability was found in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/students/assessments/results/… |
| CVE-2026-29119 | CVE-2026-29119 CVSS 9.8 | International Datacasting Corporation (IDC) SFX Series SuperFlex(SFX2100) SatelliteReceiver contains hardcoded and insecure credentials for the `admin` account… |
| CVE-2026-29093 | CVE-2026-29093 CVSS 9.8 | WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.… |
| CVE-2026-29075 | CVE-2026-29075 CVSS 9.8 | Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checki… |
| CVE-2026-29067 | CVE-2026-29067 CVSS 9.3 | ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanis… |
| CVE-2026-29065 | CVE-2026-29065 CVSS 9.1 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality … |
| CVE-2026-29063 | CVE-2026-29063 CVSS 9.8 | Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via th… |
| CVE-2026-29058 | CVE-2026-29058 CVSS 9.8 | AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting she… |
| CVE-2026-29053 | CVE-2026-29053 CVSS 9.8 | Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server runn… |
| CVE-2026-29045 | CVE-2026-29045 CVSS 9.8 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based… |
| CVE-2026-29042 | CVE-2026-29042 CVSS 9.8 | Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command in… |
| CVE-2026-29014 | CVE-2026-29014 CVSS 9.8 | MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by se… |
| CVE-2026-29000 | CVE-2026-29000 CVSS 9.1 | pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allo… |
| CVE-2026-2894 | CVE-2026-2894 CVSS 9.1 | A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget… |
| CVE-2026-28858 | CVE-2026-28858 CVSS 9.8 | A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote user may be able to cause unexpected s… |