31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,651–1,700 of 8,314 in Critical · page 34 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-27243 | CVE-2026-27243 CVSS 9.3 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerabi… |
| CVE-2026-27211 | CVE-2026-27211 CVSS 10.0 | Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by… |
| CVE-2026-27197 | CVE-2026-27197 CVSS 9.1 | Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO imple… |
| CVE-2026-27194 | CVE-2026-27194 CVSS 9.8 | D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. U… |
| CVE-2026-27190 | CVE-2026-27190 CVSS 9.8 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation… |
| CVE-2026-27180 | CVE-2026-27180 CVSS 9.8 | MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The save… |
| CVE-2026-27179 | CVE-2026-27179 CVSS 9.8 | MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly… |
| CVE-2026-27175 | CVE-2026-27175 CVSS 9.8 | MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolat… |
| CVE-2026-27174 | CVE-2026-27174 CVSS 9.8 | MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/p… |
| CVE-2026-27168 | CVE-2026-27168 CVSS 9.8 | SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-base… |
| CVE-2026-27148 | CVE-2026-27148 CVSS 9.6 | Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebS… |
| CVE-2026-27143 | CVE-2026-27143 CVSS 9.8 | Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing t… |
| CVE-2026-27130 | CVE-2026-27130 CVSS 9.9 | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained iss… |
| CVE-2026-27112 | CVE-2026-27112 CVSS 9.9 | Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of bot… |
| CVE-2026-27095 | CVE-2026-27095 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Obje… |
| CVE-2026-27084 | CVE-2026-27084 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11. |
| CVE-2026-27083 | CVE-2026-27083 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel … |
| CVE-2026-27082 | CVE-2026-27082 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3… |
| CVE-2026-27071 | CVE-2026-27071 CVSS 9.1 | Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCa… |
| CVE-2026-27067 | CVE-2026-27067 CVSS 9.1 | Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issu… |
| CVE-2026-27065 | CVE-2026-27065 CVSS 9.8 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress al… |
| CVE-2026-27051 | CVE-2026-27051 CVSS 9.8 | Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0. |
| CVE-2026-27049 | CVE-2026-27049 CVSS 9.8 | Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobic… |
| CVE-2026-27044 | CVE-2026-27044 CVSS 9.9 | Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue af… |
| CVE-2026-27028 | CVE-2026-27028 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the b… |
| CVE-2026-27012 | CVE-2026-27012 CVSS 9.8 | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication by… |
| CVE-2026-27005 | CVE-2026-27005 CVSS 9.8 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unaut… |
| CVE-2026-27002 | CVE-2026-27002 CVSS 9.8 | OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker option… |
| CVE-2026-2699 | CVE-2026-2699 CVSS 9.8 | Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing s… |
| CVE-2026-26988 | CVE-2026-26988 CVSS 9.1 | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_tab… |
| CVE-2026-26974 | CVE-2026-26974 CVSS 9.8 | Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files includin… |
| CVE-2026-26956 | CVE-2026-26956 CVSS 9.8 | vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside V… |
| CVE-2026-26954 | CVE-2026-26954 CVSS 10.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an… |
| CVE-2026-2691 | CVE-2026-2691 CVSS 9.8 | A vulnerability has been found in itsourcecode Event Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/manage_regi… |
| CVE-2026-2690 | CVE-2026-2690 CVSS 9.8 | A flaw has been found in itsourcecode Event Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?actio… |
| CVE-2026-2689 | CVE-2026-2689 CVSS 9.8 | A vulnerability was detected in itsourcecode Event Management System 1.0. Affected is an unknown function of the file /admin/manage_booking.php. The manipulati… |
| CVE-2026-2686 | CVE-2026-2686 CVSS 9.8 | A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipu… |
| CVE-2026-2684 | CVE-2026-2684 CVSS 9.8 | A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file… |
| CVE-2026-26833 | CVE-2026-26833 CVSS 9.8 | thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenate… |
| CVE-2026-26832 | CVE-2026-26832 CVSS 9.8zapolnoch | node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js… |
| CVE-2026-26831 | CVE-2026-26831 CVSS 9.8 | textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames… |
| CVE-2026-26830 | CVE-2026-26830 CVSS 9.8 | pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertComman… |
| CVE-2026-2682 | CVE-2026-2682 CVSS 9.8 | A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/Publi… |
| CVE-2026-26795 | CVE-2026-26795 CVSS 9.8 | GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnera… |
| CVE-2026-26793 | CVE-2026-26793 CVSS 9.8 | GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to exe… |
| CVE-2026-26792 | CVE-2026-26792 CVSS 9.8 | GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version,… |
| CVE-2026-26791 | CVE-2026-26791 CVSS 9.8 | GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This … |
| CVE-2026-26747 | CVE-2026-26747 CVSS 9.1 | A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined… |
| CVE-2026-26725 | CVE-2026-26725 CVSS 9.8 | An issue in edu Business Solutions Print Shop Pro WebDesk v.18.34 (fixed in 19.76) allows a remote attacker to escalate privileges via the AccessID parameter. |
| CVE-2026-26722 | CVE-2026-26722 CVSS 9.4 | An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login fu… |