31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,901–1,950 of 8,314 in Critical · page 39 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-25053 | CVE-2026-25053 CVSS 9.9 | n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with perm… |
| CVE-2026-25052 | CVE-2026-25052 CVSS 9.9 | n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated user… |
| CVE-2026-25049 | CVE-2026-25049 CVSS 9.9 | n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows c… |
| CVE-2026-25035 | CVE-2026-25035 CVSS 9.8 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Au… |
| CVE-2026-25032 | CVE-2026-25032 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31. |
| CVE-2026-25031 | CVE-2026-25031 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a throug… |
| CVE-2026-25030 | CVE-2026-25030 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish allows Object Injection.This issue affects Goldish: from n/a through < 3.47. |
| CVE-2026-25029 | CVE-2026-25029 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24. |
| CVE-2026-24993 | CVE-2026-24993 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting we… |
| CVE-2026-24989 | CVE-2026-24989 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: fr… |
| CVE-2026-24971 | CVE-2026-24971 CVSS 9.8 | Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through… |
| CVE-2026-24968 | CVE-2026-24968 CVSS 9.8 | Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1… |
| CVE-2026-24960 | CVE-2026-24960 CVSS 9.9 | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Charety charety allows Using Malicious Files.This issue affects Charety: from n/a t… |
| CVE-2026-24956 | CVE-2026-24956 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-eleme… |
| CVE-2026-24936 | CVE-2026-24936 CVSS 9.8 | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowin… |
| CVE-2026-24898 | CVE-2026-24898 CVSS 9.8 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vu… |
| CVE-2026-24895 | CVE-2026-24895 CVSS 9.8 | FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case con… |
| CVE-2026-24888 | CVE-2026-24888 CVSS 9.8 | Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function … |
| CVE-2026-24881 | CVE-2026-24881 CVSS 9.8 | In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-a… |
| CVE-2026-24874 | CVE-2026-24874 CVSS 9.1 | Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30. |
| CVE-2026-24872 | CVE-2026-24872 CVSS 9.8 | improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548.This issue affects SkyFire_548: before 5.4.8-stable5. |
| CVE-2026-24858 | Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability KEVCVSS 9.8Fortinet | Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker … |
| CVE-2026-24857 | CVE-2026-24857 CVSS 9.8 | `bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`’s embedded unrar code has a heap‑buffer‑overflow in the RA… |
| CVE-2026-24853 | CVE-2026-24853 CVSS 9.8 | Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not al… |
| CVE-2026-24848 | CVE-2026-24848 CVSS 9.9 | OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in … |
| CVE-2026-24841 | CVE-2026-24841 CVSS 9.9 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebS… |
| CVE-2026-24832 | CVE-2026-24832 CVSS 9.8 | Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3. |
| CVE-2026-24830 | CVE-2026-24830 CVSS 9.8 | Integer Overflow or Wraparound vulnerability in Ralim IronOS.This issue affects IronOS: before v2.23-rc2. |
| CVE-2026-24811 | CVE-2026-24811 CVSS 9.8 | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root. |
| CVE-2026-24793 | CVE-2026-24793 CVSS 9.8 | Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in azerothcore azerothcore-wotlk (deps/zlib modules).… |
| CVE-2026-24789 | CVE-2026-24789 CVSS 9.8 | An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication. |
| CVE-2026-24785 | CVE-2026-24785 CVSS 9.1 | Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol comp… |
| CVE-2026-24781 | CVE-2026-24781 CVSS 9.8 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This all… |
| CVE-2026-24772 | CVE-2026-24772 CVSS 9.0 | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchro… |
| CVE-2026-24770 | CVE-2026-24770 CVSS 9.8 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip"… |
| CVE-2026-24769 | CVE-2026-24769 CVSS 9.0 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attac… |
| CVE-2026-24740 | CVE-2026-24740 CVSS 9.9 | Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by labe… |
| CVE-2026-24731 | CVE-2026-24731 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the b… |
| CVE-2026-24713 | CVE-2026-24713 CVSS 9.8 | Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recomme… |
| CVE-2026-24679 | CVE-2026-24679 CVSS 9.1 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices wit… |
| CVE-2026-24677 | CVE-2026-24677 CVSS 9.1 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not v… |
| CVE-2026-24663 | CVE-2026-24663 CVSS 9.8 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on t… |
| CVE-2026-24660 | CVE-2026-24660 CVSS 9.8 | A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead t… |
| CVE-2026-24497 | CVE-2026-24497 CVSS 9.8 | Stack-based Buffer Overflow vulnerability in SimTech Systems, Inc. ThinkWise allows Remote Code Inclusion.This issue affects ThinkWise: from 7 through 23. |
| CVE-2026-24494 | CVE-2026-24494 CVSS 9.8 | SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to acce… |
| CVE-2026-24479 | CVE-2026-24479 CVSS 9.8 | HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and … |
| CVE-2026-24467 | CVE-2026-24467 CVSS 9.8 | OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.… |
| CVE-2026-24465 | CVE-2026-24465 CVSS 9.8 | Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution. |
| CVE-2026-2446 | CVE-2026-2446 CVSS 9.8 | The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to upda… |
| CVE-2026-24457 | CVE-2026-24457 CVSS 9.8 | An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unautho… |