31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,801–1,850 of 8,314 in Critical · page 37 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-25876 | CVE-2026-25876 CVSS 9.1 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authenticatio… |
| CVE-2026-25875 | CVE-2026-25875 CVSS 9.8 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled J… |
| CVE-2026-25874 | CVE-2026-25874 CVSS 9.8 | LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data receive… |
| CVE-2026-25873 | CVE-2026-25873 CVSS 9.8 | OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary co… |
| CVE-2026-2587 | CVE-2026-2587 CVSS 9.6 | A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The a… |
| CVE-2026-2586 | CVE-2026-2586 CVSS 9.1 | An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send craft… |
| CVE-2026-25858 | CVE-2026-25858 CVSS 9.1 | macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated atta… |
| CVE-2026-25851 | CVE-2026-25851 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the b… |
| CVE-2026-25848 | CVE-2026-25848 CVSS 9.8 | In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible |
| CVE-2026-25823 | CVE-2026-25823 CVSS 9.8 | HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have a stack buffer o… |
| CVE-2026-25818 | CVE-2026-25818 CVSS 9.1 | HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for… |
| CVE-2026-25814 | CVE-2026-25814 CVSS 9.8 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into Dyn… |
| CVE-2026-25811 | CVE-2026-25811 CVSS 9.1 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from t… |
| CVE-2026-25810 | CVE-2026-25810 CVSS 9.1 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify au… |
| CVE-2026-25809 | CVE-2026-25809 CVSS 9.8 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment… |
| CVE-2026-25804 | CVE-2026-25804 CVSS 9.1 | Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment sys… |
| CVE-2026-25803 | CVE-2026-25803 CVSS 9.8 | 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default c… |
| CVE-2026-25787 | CVE-2026-25787 CVSS 9.1 | Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This… |
| CVE-2026-25786 | CVE-2026-25786 CVSS 9.1 | Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow… |
| CVE-2026-25785 | CVE-2026-25785 CVSS 9.8 | Path traversal vulnerability exists in Lanscope Endpoint Manager (On-Premises) Sub-Manager Server Ver.9.4.7.3 and earlier, which may allow an attacker to tampe… |
| CVE-2026-25776 | CVE-2026-25776 CVSS 9.8 | Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script. |
| CVE-2026-25775 | CVE-2026-25775 CVSS 9.8 | A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or author… |
| CVE-2026-2577 | CVE-2026-2577 CVSS 10.0 | The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentica… |
| CVE-2026-25769 | CVE-2026-25769 CVSS 9.1 | Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) … |
| CVE-2026-25763 | CVE-2026-25763 CVSS 9.9 | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in Open… |
| CVE-2026-25753 | CVE-2026-25753 CVSS 9.8 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password fo… |
| CVE-2026-25752 | CVE-2026-25752 CVSS 9.1 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attac… |
| CVE-2026-25737 | CVE-2026-25737 CVSS 9.0 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists … |
| CVE-2026-25726 | CVE-2026-25726 CVSS 9.8 | Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand … |
| CVE-2026-25725 | CVE-2026-25725 CVSS 10.0 | Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.js… |
| CVE-2026-25722 | CVE-2026-25722 CVSS 9.1 | Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations t… |
| CVE-2026-25715 | CVE-2026-25715 CVSS 9.8 | The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authent… |
| CVE-2026-25702 | CVE-2026-25702 CVSS 9.8 | A Improper Access Control vulnerability in the kernel of SUSE SUSE Linux Enterprise Server 12 SP5 breaks nftables, causing firewall rules applied via nftables … |
| CVE-2026-25660 | CVE-2026-25660 CVSS 9.8 | CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the U… |
| CVE-2026-25643 | CVE-2026-25643 CVSS 9.1 | Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulne… |
| CVE-2026-25641 | CVE-2026-25641 CVSS 9.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validatio… |
| CVE-2026-25632 | CVE-2026-25632 CVSS 10.0 | EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EP… |
| CVE-2026-25592 | CVE-2026-25592 CVSS 9.9 | Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has … |
| CVE-2026-25587 | CVE-2026-25587 CVSS 10.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Ma… |
| CVE-2026-25586 | CVE-2026-25586 CVSS 10.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables pro… |
| CVE-2026-25560 | CVE-2026-25560 CVSS 9.8 | WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP sear… |
| CVE-2026-25548 | CVE-2026-25548 CVSS 9.1 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists… |
| CVE-2026-25544 | CVE-2026-25544 CVSS 9.8 | Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded … |
| CVE-2026-25534 | CVE-2026-25534 CVSS 9.1 | ### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java UR… |
| CVE-2026-25526 | CVE-2026-25526 CVSS 9.8 | JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulne… |
| CVE-2026-25520 | CVE-2026-25520 CVSS 10.0 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get a… |
| CVE-2026-25519 | CVE-2026-25519 CVSS 9.8 | OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2… |
| CVE-2026-25505 | CVE-2026-25505 CVSS 9.8 | Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs i… |
| CVE-2026-2550 | CVE-2026-2550 CVSS 9.8 | A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation resu… |
| CVE-2026-25481 | CVE-2026-25481 CVSS 9.6 | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. Tabl… |