31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 351–400 of 8,314 in Critical · page 8 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-45392 | CVE-2026-45392 CVSS 8.7 | DOM-based cross-site scripting (XSS) in Cribl Stream before 4.17.1 allows a remote attacker to execute arbitrary JavaScript in the browser of an authenticated … |
| CVE-2026-45391 | CVE-2026-45391 CVSS 7.8 | A command injection vulnerability in Cribl Edge for Linux versions 3.2.0 through 4.17.0 allows a local unprivileged user to execute arbitrary commands in the c… |
| CVE-2026-45375 | CVE-2026-45375 CVSS 9.0 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a… |
| CVE-2026-45321 | TanStack Unspecified Vulnerability KEVCVSS 9.6TanStack | TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealin… |
| CVE-2026-45247 | Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability KEVCVSS 9.8Mirasvit | Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code ex… |
| CVE-2026-45230 | CVE-2026-45230 CVSS 9.1 | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthen… |
| CVE-2026-45185 | CVE-2026-45185 CVSS 9.8 | Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client send… |
| CVE-2026-45158 | CVE-2026-45158 CVSS 9.1 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interf… |
| CVE-2026-45091 | CVE-2026-45091 CVSS 9.1 | sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 throu… |
| CVE-2026-45053 | CVE-2026-45053 CVSS 9.1 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (… |
| CVE-2026-45010 | CVE-2026-45010 CVSS 9.1 | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary… |
| CVE-2026-4499 | CVE-2026-4499 CVSS 9.8 | A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os c… |
| CVE-2026-4497 | CVE-2026-4497 CVSS 9.8 | A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi… |
| CVE-2026-44930 | CVE-2026-44930 CVSS 9.8 | An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates fr… |
| CVE-2026-44774 | CVE-2026-44774 CVSS 9.9 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRou… |
| CVE-2026-4473 | CVE-2026-4473 CVSS 9.8 | A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_ac… |
| CVE-2026-4472 | CVE-2026-4472 CVSS 9.8 | A security vulnerability has been detected in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /admin/… |
| CVE-2026-44717 | CVE-2026-44717 CVSS 9.8 | MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical … |
| CVE-2026-4471 | CVE-2026-4471 CVSS 9.8 | A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /admin/admin_edit_employee.php… |
| CVE-2026-4470 | CVE-2026-4470 CVSS 9.8 | A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this issue is some unknown functionality of the file /… |
| CVE-2026-44694 | CVE-2026-44694 CVSS 9.1 | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2… |
| CVE-2026-4469 | CVE-2026-4469 CVSS 9.8 | A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file … |
| CVE-2026-44668 | CVE-2026-44668 CVSS 9.8 | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 action… |
| CVE-2026-44643 | CVE-2026-44643 CVSS 10.0 | Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression … |
| CVE-2026-44603 | CVE-2026-44603 CVSS 9.1 | Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007. |
| CVE-2026-44597 | CVE-2026-44597 CVSS 9.1 | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. |
| CVE-2026-44592 | CVE-2026-44592 CVSS 9.4 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can re… |
| CVE-2026-44566 | CVE-2026-44566 CVSS 9.8 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name … |
| CVE-2026-44551 | CVE-2026-44551 CVSS 9.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not va… |
| CVE-2026-44547 | CVE-2026-44547 CVSS 9.6 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then si… |
| CVE-2026-44542 | CVE-2026-44542 CVSS 9.1 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trust… |
| CVE-2026-44523 | CVE-2026-44523 CVSS 10.0 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The appli… |
| CVE-2026-44497 | CVE-2026-44497 CVSS 9.1 | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a … |
| CVE-2026-44484 | CVE-2026-44484 CVSS 9.8 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a cre… |
| CVE-2026-44482 | CVE-2026-44482 CVSS 9.6 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payl… |
| CVE-2026-44451 | CVE-2026-44451 CVSS 9.3 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with … |
| CVE-2026-44450 | CVE-2026-44450 CVSS 9.9 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary n… |
| CVE-2026-44449 | CVE-2026-44449 CVSS 9.1 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename… |
| CVE-2026-44444 | CVE-2026-44444 CVSS 9.1 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag befo… |
| CVE-2026-44442 | CVE-2026-44442 CVSS 9.9 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing… |
| CVE-2026-44377 | CVE-2026-44377 CVSS 9.1 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of … |
| CVE-2026-44351 | CVE-2026-44351 CVSS 9.1 | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flo… |
| CVE-2026-44343 | CVE-2026-44343 CVSS 9.8 | WGDashboard is a dashboard for WireGuard VPN. Prior to 4.3.2, there are critical vulnerabilities affecting WGDashboard that, if exploited, could allow unauthor… |
| CVE-2026-44336 | CVE-2026-44336 CVSS 9.6 | PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-han… |
| CVE-2026-44335 | CVE-2026-44335 CVSS 9.8 | PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, l… |
| CVE-2026-44313 | CVE-2026-44313 CVSS 9.1 | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Reque… |
| CVE-2026-44277 | CVE-2026-44277 CVSS 9.8 | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthentica… |
| CVE-2026-44262 | CVE-2026-44262 CVSS 9.4 | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation ru… |
| CVE-2026-44225 | CVE-2026-44225 CVSS 9.3 | Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged w… |
| CVE-2026-44221 | CVE-2026-44221 CVSS 9.0 | ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any ot… |