31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 2,101–2,150 of 8,314 in Critical · page 43 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-22781 | CVE-2026-22781 CVSS 9.8 | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDE… |
| CVE-2026-22778 | CVE-2026-22778 CVSS 9.8 | vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpo… |
| CVE-2026-22770 | CVE-2026-22770 CVSS 9.8 | ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buff… |
| CVE-2026-22769 | Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability KEVCVSS 10.0Dell | Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to … |
| CVE-2026-2275 | CVE-2026-2275 CVSS 9.6 | The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling. |
| CVE-2026-22738 | CVE-2026-22738 CVSS 9.8 | In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could… |
| CVE-2026-22732 | CVE-2026-22732 CVSS 9.1 | When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be writ… |
| CVE-2026-22720 | CVE-2026-22720 CVSS 9.0 | VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to injec… |
| CVE-2026-22709 | CVE-2026-22709 CVSS 10.0 | vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be b… |
| CVE-2026-22708 | CVE-2026-22708 CVSS 9.8 | Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shel… |
| CVE-2026-22687 | CVE-2026-22687 CVSS 9.8 | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent se… |
| CVE-2026-22686 | CVE-2026-22686 CVSS 10.0 | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-v… |
| CVE-2026-22685 | CVE-2026-22685 CVSS 9.8 | DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installatio… |
| CVE-2026-22679 | CVE-2026-22679 CVSS 9.8 | Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboA… |
| CVE-2026-22619 | CVE-2026-22619 CVSS 9.9 | Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker … |
| CVE-2026-22600 | CVE-2026-22600 CVSS 9.1 | OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality… |
| CVE-2026-22586 | CVE-2026-22586 CVSS 9.8 | Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsu… |
| CVE-2026-22585 | CVE-2026-22585 CVSS 9.8 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subsc… |
| CVE-2026-22584 | CVE-2026-22584 CVSS 9.8 | Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Ex… |
| CVE-2026-22583 | CVE-2026-22583 CVSS 9.8 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module… |
| CVE-2026-22582 | CVE-2026-22582 CVSS 9.8 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module)… |
| CVE-2026-22564 | CVE-2026-22564 CVSS 9.8 | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the … |
| CVE-2026-22563 | CVE-2026-22563 CVSS 9.8 | A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Pr… |
| CVE-2026-22562 | CVE-2026-22562 CVSS 9.8 | A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system … |
| CVE-2026-22557 | CVE-2026-22557 CVSS 10.0 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underly… |
| CVE-2026-22553 | CVE-2026-22553 CVSS 9.8 | All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the v… |
| CVE-2026-22552 | CVE-2026-22552 CVSS 9.8 | WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the bac… |
| CVE-2026-2251 | CVE-2026-2251 CVSS 9.8 | Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to… |
| CVE-2026-22507 | CVE-2026-22507 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6. |
| CVE-2026-22501 | CVE-2026-22501 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through <= 1.… |
| CVE-2026-22500 | CVE-2026-22500 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construc… |
| CVE-2026-22497 | CVE-2026-22497 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2. |
| CVE-2026-2249 | CVE-2026-2249 CVSS 9.8 | METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpo… |
| CVE-2026-22484 | CVE-2026-22484 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.… |
| CVE-2026-2248 | CVE-2026-2248 CVSS 9.8 | METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpo… |
| CVE-2026-22475 | CVE-2026-22475 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4. |
| CVE-2026-22474 | CVE-2026-22474 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: f… |
| CVE-2026-22454 | CVE-2026-22454 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5. |
| CVE-2026-22453 | CVE-2026-22453 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3. |
| CVE-2026-22451 | CVE-2026-22451 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a throug… |
| CVE-2026-22417 | CVE-2026-22417 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a thr… |
| CVE-2026-22390 | CVE-2026-22390 CVSS 9.9 | Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code In… |
| CVE-2026-22384 | CVE-2026-22384 CVSS 9.8 | Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcod… |
| CVE-2026-2234 | CVE-2026-2234 CVSS 9.1 | C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content. |
| CVE-2026-22337 | CVE-2026-22337 CVSS 9.8 | Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: f… |
| CVE-2026-22336 | CVE-2026-22336 CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affec… |
| CVE-2026-22314 | CVE-2026-22314 CVSS 9.0 | Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code… |
| CVE-2026-22278 | CVE-2026-22278 CVSS 9.8 | Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attack… |
| CVE-2026-22264 | CVE-2026-22264 CVSS 9.1 | Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when… |
| CVE-2026-22262 | CVE-2026-22262 CVSS 9.8 | Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the da… |