31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,701–1,750 of 8,314 in Critical · page 35 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-26720 | CVE-2026-26720 CVSS 9.8 | An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module. |
| CVE-2026-26713 | CVE-2026-26713 CVSS 9.8 | code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php. |
| CVE-2026-26712 | CVE-2026-26712 CVSS 9.8 | code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php. |
| CVE-2026-26711 | CVE-2026-26711 CVSS 9.8 | code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php. |
| CVE-2026-26710 | CVE-2026-26710 CVSS 9.8 | code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/edit-orders.php. |
| CVE-2026-26709 | CVE-2026-26709 CVSS 9.8 | code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection in /gym/trainer_search.php. |
| CVE-2026-26708 | CVE-2026-26708 CVSS 9.8 | sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php. |
| CVE-2026-26707 | CVE-2026-26707 CVSS 9.8 | sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php. |
| CVE-2026-26706 | CVE-2026-26706 CVSS 9.8 | sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_receipt.php. |
| CVE-2026-26705 | CVE-2026-26705 CVSS 9.8 | sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_product.php. |
| CVE-2026-26704 | CVE-2026-26704 CVSS 9.8 | sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_category.php. |
| CVE-2026-26703 | CVE-2026-26703 CVSS 9.8 | sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/advance_search.php. |
| CVE-2026-26702 | CVE-2026-26702 CVSS 9.8 | sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/myitem_reuse.php. |
| CVE-2026-26701 | CVE-2026-26701 CVSS 9.8 | sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_tecnical_user.php. |
| CVE-2026-26700 | CVE-2026-26700 CVSS 9.8 | sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_employee.php. |
| CVE-2026-26696 | CVE-2026-26696 CVSS 9.8 | code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordteacher_edit.php. |
| CVE-2026-26695 | CVE-2026-26695 CVSS 9.8 | code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php. |
| CVE-2026-26694 | CVE-2026-26694 CVSS 9.8 | code-projects Simple Student Alumni System v1.0 is vulnerale to SQL Injection in /TracerStudy/modal_view.php. |
| CVE-2026-2654 | CVE-2026-2654 CVSS 9.8 | A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Exec… |
| CVE-2026-2651 | CVE-2026-2651 CVSS 9.0lfprojects | A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. T… |
| CVE-2026-26478 | CVE-2026-26478 CVSS 9.8 | A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP da… |
| CVE-2026-26369 | CVE-2026-26369 CVSS 9.8 | eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC meth… |
| CVE-2026-26366 | CVE-2026-26366 CVSS 9.8 | eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without … |
| CVE-2026-26354 | CVE-2026-26354 CVSS 9.8 | Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3… |
| CVE-2026-2635 | CVE-2026-2635 CVSS 9.8 | MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installatio… |
| CVE-2026-26342 | CVE-2026-26342 CVSS 9.8 | Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expirati… |
| CVE-2026-26341 | CVE-2026-26341 CVSS 9.8 | Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during inst… |
| CVE-2026-2634 | CVE-2026-2634 CVSS 9.8 | Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-control… |
| CVE-2026-26339 | CVE-2026-26339 CVSS 9.8 | Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which ex… |
| CVE-2026-26338 | CVE-2026-26338 CVSS 9.8 | Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functiona… |
| CVE-2026-26335 | CVE-2026-26335 CVSS 9.8 | Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program File… |
| CVE-2026-26333 | CVE-2026-26333 CVSS 9.8 | Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (inc… |
| CVE-2026-26332 | CVE-2026-26332 CVSS 10.0 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issu… |
| CVE-2026-2631 | CVE-2026-2631 CVSS 9.8 | The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `da… |
| CVE-2026-26305 | CVE-2026-26305 CVSS 9.8 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attac… |
| CVE-2026-26290 | CVE-2026-26290 CVSS 9.8 | The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identi… |
| CVE-2026-26288 | CVE-2026-26288 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the bac… |
| CVE-2026-26284 | CVE-2026-26284 CVSS 9.1 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks prop… |
| CVE-2026-2628 | CVE-2026-2628 CVSS 9.8 | The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, … |
| CVE-2026-26279 | CVE-2026-26279 CVSS 9.1 | Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email fo… |
| CVE-2026-26273 | CVE-2026-26273 CVSS 9.8 | Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks … |
| CVE-2026-26268 | CVE-2026-26268 CVSS 9.9 | Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (… |
| CVE-2026-26263 | CVE-2026-26263 CVSS 9.8 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Searc… |
| CVE-2026-2624 | CVE-2026-2624 CVSS 9.8epati | Missing Authentication for Critical Function vulnerability in ePati Cyber Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows Authentic… |
| CVE-2026-26222 | CVE-2026-26222 CVSS 9.8 | Altec DocLink (now maintained by Beyond Limits Inc.) version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService… |
| CVE-2026-26221 | CVE-2026-26221 CVSS 9.8 | Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can… |
| CVE-2026-26219 | CVE-2026-26219 CVSS 9.1 | newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational… |
| CVE-2026-26218 | CVE-2026-26218 CVSS 9.8 | newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default passwor… |
| CVE-2026-26216 | CVE-2026-26216 CVSS 10.0 | Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter cont… |
| CVE-2026-26210 | CVE-2026-26210 CVSS 9.8 | KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTE… |