31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,551–1,600 of 8,314 in Critical · page 32 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-2786 | CVE-2026-2786 CVSS 9.8 | Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-27851 | CVE-2026-27851 CVSS 9.1 | When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to b… |
| CVE-2026-2785 | CVE-2026-2785 CVSS 9.8 | Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-27849 | CVE-2026-27849 CVSS 9.8 | Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for… |
| CVE-2026-27848 | CVE-2026-27848 CVSS 9.8 | Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root … |
| CVE-2026-27847 | CVE-2026-27847 CVSS 9.8 | Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known … |
| CVE-2026-27843 | CVE-2026-27843 CVSS 9.1 | A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentica… |
| CVE-2026-27842 | CVE-2026-27842 CVSS 9.8 | Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration. |
| CVE-2026-2784 | CVE-2026-2784 CVSS 9.8 | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-27837 | CVE-2026-27837 CVSS 9.8 | Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype p… |
| CVE-2026-27820 | CVE-2026-27820 CVSS 9.8 | zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vuln… |
| CVE-2026-2782 | CVE-2026-2782 CVSS 9.8 | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-27816 | CVE-2026-27816 CVSS 9.1 | EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length li… |
| CVE-2026-27815 | CVE-2026-27815 CVSS 9.1 | EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options l… |
| CVE-2026-27812 | CVE-2026-27812 CVSS 9.1 | Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 i… |
| CVE-2026-2781 | CVE-2026-2781 CVSS 9.8 | Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Fir… |
| CVE-2026-27809 | CVE-2026-27809 CVSS 9.1 | psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data… |
| CVE-2026-27804 | CVE-2026-27804 CVSS 9.1 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthent… |
| CVE-2026-2780 | CVE-2026-2780 CVSS 9.8 | Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-2779 | CVE-2026-2779 CVSS 9.8 | Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbir… |
| CVE-2026-2778 | CVE-2026-2778 CVSS 10.0 | Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox… |
| CVE-2026-27772 | CVE-2026-27772 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the b… |
| CVE-2026-2777 | CVE-2026-2777 CVSS 9.8 | Privilege escalation in the Messaging System component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, an… |
| CVE-2026-27767 | CVE-2026-27767 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the b… |
| CVE-2026-2776 | CVE-2026-2776 CVSS 10.0 | Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability was fixed in Firefox 148, Firefox ESR 1… |
| CVE-2026-27755 | CVE-2026-27755 CVSS 9.8 | SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authentica… |
| CVE-2026-27751 | CVE-2026-27751 CVSS 9.8 | SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative ac… |
| CVE-2026-2775 | CVE-2026-2775 CVSS 9.8 | Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and T… |
| CVE-2026-27744 | CVE-2026-27744 CVSS 9.8 | The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket … |
| CVE-2026-27743 | CVE-2026-27743 CVSS 9.8 | The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_suppri… |
| CVE-2026-2774 | CVE-2026-2774 CVSS 9.8 | Integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunder… |
| CVE-2026-2773 | CVE-2026-2773 CVSS 9.8 | Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, … |
| CVE-2026-27727 | CVE-2026-27727 CVSS 9.8 | mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for rem… |
| CVE-2026-2772 | CVE-2026-2772 CVSS 9.8 | Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and… |
| CVE-2026-2771 | CVE-2026-2771 CVSS 9.8 | Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and … |
| CVE-2026-27707 | CVE-2026-27707 CVSS 9.8 | Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authenticati… |
| CVE-2026-27703 | CVE-2026-27703 CVSS 9.8 | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In … |
| CVE-2026-27702 | CVE-2026-27702 CVSS 9.0 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase… |
| CVE-2026-2770 | CVE-2026-2770 CVSS 9.8 | Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, an… |
| CVE-2026-27699 | CVE-2026-27699 CVSS 9.8 | The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A m… |
| CVE-2026-27697 | CVE-2026-27697 CVSS 9.8 | baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in v… |
| CVE-2026-27685 | CVE-2026-27685 CVSS 9.1 | SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could resu… |
| CVE-2026-27681 | CVE-2026-27681 CVSS 9.9 | Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL s… |
| CVE-2026-2768 | CVE-2026-2768 CVSS 10.0 | Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-2767 | CVE-2026-2767 CVSS 9.8 | Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-2766 | CVE-2026-2766 CVSS 9.8 | Use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-27650 | CVE-2026-27650 CVSS 9.8 | OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the … |
| CVE-2026-2765 | CVE-2026-2765 CVSS 9.8 | Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. |
| CVE-2026-27647 | CVE-2026-27647 CVSS 9.8 | The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identi… |
| CVE-2026-27641 | CVE-2026-27641 CVSS 9.8 | Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attacke… |