31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,751–1,800 of 8,314 in Critical · page 36 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-26191 | CVE-2026-26191 CVSS 9.8 | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software… |
| CVE-2026-26190 | CVE-2026-26190 CVSS 9.8 | Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enabl… |
| CVE-2026-2616 | CVE-2026-2616 CVSS 9.8 | A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The mani… |
| CVE-2026-26150 | CVE-2026-26150 CVSS 10.0 | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-26149 | CVE-2026-26149 CVSS 9.0 | Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. |
| CVE-2026-26138 | CVE-2026-26138 CVSS 10.0 | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-26137 | CVE-2026-26137 CVSS 9.9 | Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-26125 | CVE-2026-26125 CVSS 9.8 | Payment Orchestrator Service Elevation of Privilege Vulnerability |
| CVE-2026-2611 | CVE-2026-2611 CVSS 9.6 | In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote atta… |
| CVE-2026-26105 | CVE-2026-26105 CVSS 9.3 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform … |
| CVE-2026-26093 | CVE-2026-26093 CVSS 9.8 | Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request. |
| CVE-2026-26083 | CVE-2026-26083 CVSS 9.8 | A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, F… |
| CVE-2026-26068 | CVE-2026-26068 CVSS 9.9 | emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted dur… |
| CVE-2026-26057 | CVE-2026-26057 CVSS 9.1 | Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the A… |
| CVE-2026-26051 | CVE-2026-26051 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the bac… |
| CVE-2026-26030 | CVE-2026-26030 CVSS 9.9 | Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemo… |
| CVE-2026-26021 | CVE-2026-26021 CVSS 9.8 | set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=… |
| CVE-2026-26015 | CVE-2026-26015 CVSS 9.8 | DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any l… |
| CVE-2026-26011 | CVE-2026-26011 CVSS 9.8 | navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle… |
| CVE-2026-26009 | CVE-2026-26009 CVSS 9.9 | Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates ex… |
| CVE-2026-26002 | CVE-2026-26002 CVSS 9.8 | Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malici… |
| CVE-2026-25997 | CVE-2026-25997 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory beca… |
| CVE-2026-25996 | CVE-2026-25996 CVSS 9.8 | Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields fro… |
| CVE-2026-25994 | CVE-2026-25994 CVSS 9.8 | PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Sessio… |
| CVE-2026-25993 | CVE-2026-25993 CVSS 9.8 | EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derive… |
| CVE-2026-2599 | CVE-2026-2599 CVSS 9.8 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.… |
| CVE-2026-25987 | CVE-2026-25987 CVSS 9.1 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-rea… |
| CVE-2026-25986 | CVE-2026-25986 CVSS 9.8 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow… |
| CVE-2026-25983 | CVE-2026-25983 CVSS 9.8 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script t… |
| CVE-2026-25971 | CVE-2026-25971 CVSS 9.8 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check … |
| CVE-2026-25968 | CVE-2026-25968 CVSS 9.8 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflo… |
| CVE-2026-25960 | CVE-2026-25960 CVSS 9.8 | vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_… |
| CVE-2026-25959 | CVE-2026-25959 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangePropert… |
| CVE-2026-25955 | CVE-2026-25955 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data`… |
| CVE-2026-25953 | CVE-2026-25953 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` beca… |
| CVE-2026-25952 | CVE-2026-25952 CVSS 9.8 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer b… |
| CVE-2026-25945 | CVE-2026-25945 CVSS 9.8 | The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attac… |
| CVE-2026-25939 | CVE-2026-25939 CVSS 9.1 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA… |
| CVE-2026-25938 | CVE-2026-25938 CVSS 9.8 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an u… |
| CVE-2026-25923 | CVE-2026-25923 CVSS 9.1 | my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to fi… |
| CVE-2026-25921 | CVE-2026-25921 CVSS 9.3 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS o… |
| CVE-2026-2590 | CVE-2026-2590 CVSS 9.8 | Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and e… |
| CVE-2026-25898 | CVE-2026-25898 CVSS 9.1 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image … |
| CVE-2026-25897 | CVE-2026-25897 CVSS 9.8 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vu… |
| CVE-2026-25896 | CVE-2026-25896 CVSS 9.3 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to b… |
| CVE-2026-25895 | CVE-2026-25895 CVSS 9.8 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to … |
| CVE-2026-25894 | CVE-2026-25894 CVSS 9.8 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker … |
| CVE-2026-25893 | CVE-2026-25893 CVSS 9.8 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthentic… |
| CVE-2026-25881 | CVE-2026-25881 CVSS 10.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laund… |
| CVE-2026-2588 | CVE-2026-2588 CVSS 9.1 | Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems. Sodium.xs casts a STRLEN (size_t) to unsigned long long wh… |