31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,451–1,500 of 8,314 in Critical · page 30 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-28827 | CVE-2026-28827 CVSS 9.3 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.… |
| CVE-2026-28808 | CVE-2026-28808 CVSS 9.8 | Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via s… |
| CVE-2026-28802 | CVE-2026-28802 CVSS 9.8 | Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malic… |
| CVE-2026-2880 | CVE-2026-2880 CVSS 9.1 | A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('… |
| CVE-2026-28798 | CVE-2026-28798 CVSS 10.0 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed… |
| CVE-2026-28795 | CVE-2026-28795 CVSS 9.8 | OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through natural lan… |
| CVE-2026-28794 | CVE-2026-28794 CVSS 9.8 | oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerabili… |
| CVE-2026-28792 | CVE-2026-28792 CVSS 9.6 | Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin… |
| CVE-2026-28787 | CVE-2026-28787 CVSS 9.0 | OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store th… |
| CVE-2026-28785 | CVE-2026-28785 CVSS 9.8 | Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL comman… |
| CVE-2026-28783 | CVE-2026-28783 CVSS 9.1 | Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP func… |
| CVE-2026-28780 | CVE-2026-28780 CVSS 9.8 | Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a… |
| CVE-2026-28778 | CVE-2026-28778 CVSS 9.8 | International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user acc… |
| CVE-2026-28777 | CVE-2026-28777 CVSS 9.8 | International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, trivial password for the `user` (usr) account. A remote unauthenticated attacker can … |
| CVE-2026-28776 | CVE-2026-28776 CVSS 9.8 | International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the `monitor` account. A remote unauthent… |
| CVE-2026-28775 | CVE-2026-28775 CVSS 9.8 | An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex Sat… |
| CVE-2026-28710 | CVE-2026-28710 CVSS 9.8 | Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows… |
| CVE-2026-28697 | CVE-2026-28697 CVSS 9.1 | Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by … |
| CVE-2026-28680 | CVE-2026-28680 CVSS 9.3 | Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-re… |
| CVE-2026-28678 | CVE-2026-28678 CVSS 9.1 | DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be v… |
| CVE-2026-2867 | CVE-2026-2867 CVSS 9.8 | A vulnerability was determined in itsourcecode Vehicle Management System 1.0. Affected is an unknown function of the file /billaction.php. Executing a manipula… |
| CVE-2026-2865 | CVE-2026-2865 CVSS 9.8 | A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of … |
| CVE-2026-28562 | CVE-2026-28562 CVSS 9.8 | wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitiz… |
| CVE-2026-28517 | CVE-2026-28517 CVSS 9.8 | openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' … |
| CVE-2026-28514 | CVE-2026-28514 CVSS 9.8 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a… |
| CVE-2026-28505 | CVE-2026-28505 CVSS 10.0 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py impl… |
| CVE-2026-28501 | CVE-2026-28501 CVSS 9.8 | WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.… |
| CVE-2026-28500 | CVE-2026-28500 CVSS 9.1 | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypas… |
| CVE-2026-28497 | CVE-2026-28497 CVSS 9.1 | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion… |
| CVE-2026-2848 | CVE-2026-2848 CVSS 9.8 | A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/… |
| CVE-2026-28479 | CVE-2026-28479 CVSS 9.1 | OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vul… |
| CVE-2026-28474 | CVE-2026-28474 CVSS 9.8 | OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, all… |
| CVE-2026-28472 | CVE-2026-28472 CVSS 9.8 | OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when … |
| CVE-2026-28470 | CVE-2026-28470 CVSS 9.8 | OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary comma… |
| CVE-2026-28466 | CVE-2026-28466 CVSS 9.9 | OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, a… |
| CVE-2026-28462 | CVE-2026-28462 CVSS 9.1 | OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download f… |
| CVE-2026-28454 | CVE-2026-28454 CVSS 9.8 | OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to… |
| CVE-2026-28453 | CVE-2026-28453 CVSS 9.8 | OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the i… |
| CVE-2026-28451 | CVE-2026-28451 CVSS 9.3 | OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-control… |
| CVE-2026-28448 | CVE-2026-28448 CVSS 9.4 | OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the all… |
| CVE-2026-28446 | CVE-2026-28446 CVSS 9.8 | OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist pol… |
| CVE-2026-28443 | CVE-2026-28443 CVSS 9.8 | OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field pa… |
| CVE-2026-28438 | CVE-2026-28438 CVSS 9.8 | CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creatin… |
| CVE-2026-28430 | CVE-2026-28430 CVSS 9.8 | Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to… |
| CVE-2026-28411 | CVE-2026-28411 CVSS 9.8 | WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an … |
| CVE-2026-28408 | CVE-2026-28408 CVSS 9.8 | WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's ce… |
| CVE-2026-28395 | CVE-2026-28395 CVSS 9.1 | OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) rela… |
| CVE-2026-28393 | CVE-2026-28393 CVSS 9.8 | OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execu… |
| CVE-2026-28392 | CVE-2026-28392 CVSS 9.8 | OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct mes… |
| CVE-2026-28391 | CVE-2026-28391 CVSS 9.8 | OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allo… |