31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 401–450 of 8,314 in Critical · page 9 of 167
| ID | Title | Summary |
|---|---|---|
| CVE-2026-44212 | CVE-2026-44212 CVSS 9.3 | PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop… |
| CVE-2026-44196 | CVE-2026-44196 CVSS 9.1 | Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacke… |
| CVE-2026-44194 | CVE-2026-44194 CVSS 9.1 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core all… |
| CVE-2026-44193 | CVE-2026-44193 CVSS 9.1 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied i… |
| CVE-2026-44183 | CVE-2026-44183 CVSS 9.8 | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.… |
| CVE-2026-44159 | CVE-2026-44159 CVSS 9.8 | Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has… |
| CVE-2026-4415 | CVE-2026-4415 CVSS 9.8 | Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers … |
| CVE-2026-44112 | CVE-2026-44112 CVSS 9.6 | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes o… |
| CVE-2026-44109 | CVE-2026-44109 CVSS 9.8 | OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to … |
| CVE-2026-44050 | CVE-2026-44050 CVSS 9.9 | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary… |
| CVE-2026-4404 | CVE-2026-4404 CVSS 9.4 | Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. |
| CVE-2026-44015 | CVE-2026-44015 CVSS 9.9 | Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creati… |
| CVE-2026-44009 | CVE-2026-44009 CVSS 9.8 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. |
| CVE-2026-44008 | CVE-2026-44008 CVSS 9.8 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call i… |
| CVE-2026-44007 | CVE-2026-44007 CVSS 9.1 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') reg… |
| CVE-2026-44006 | CVE-2026-44006 CVSS 10.0 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototype… |
| CVE-2026-44005 | CVE-2026-44005 CVSS 10.0 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forw… |
| CVE-2026-43999 | CVE-2026-43999 CVSS 9.9 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the… |
| CVE-2026-43997 | CVE-2026-43997 CVSS 10.0 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to esca… |
| CVE-2026-43995 | CVE-2026-43995 CVSS 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invo… |
| CVE-2026-43992 | CVE-2026-43992 CVSS 9.8 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract,… |
| CVE-2026-4395 | CVE-2026-4395 CVSS 9.8 | Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled dat… |
| CVE-2026-43948 | CVE-2026-43948 CVSS 9.9 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope … |
| CVE-2026-43944 | CVE-2026-43944 CVSS 9.6 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbit… |
| CVE-2026-43941 | CVE-2026-43941 CVSS 9.6 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler p… |
| CVE-2026-43914 | CVE-2026-43914 CVSS 9.8 | Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login… |
| CVE-2026-43900 | CVE-2026-43900 CVSS 9.3 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) … |
| CVE-2026-43899 | CVE-2026-43899 CVSS 9.6 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for … |
| CVE-2026-4374 | CVE-2026-4374 CVSS 9.1 | Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queu… |
| CVE-2026-4370 | CVE-2026-4370 CVSS 10.0 | A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to pe… |
| CVE-2026-4365 | CVE-2026-4365 CVSS 9.1 | The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in… |
| CVE-2026-43639 | CVE-2026-43639 CVSS 9.1 | Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to thei… |
| CVE-2026-43633 | CVE-2026-43633 CVSS 10.0 | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and… |
| CVE-2026-43585 | CVE-2026-43585 CVSS 9.8 | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTT… |
| CVE-2026-43581 | CVE-2026-43581 CVSS 9.6 | OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0.… |
| CVE-2026-43578 | CVE-2026-43578 CVSS 9.1 | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background asy… |
| CVE-2026-43575 | CVE-2026-43575 CVSS 9.8 | OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser … |
| CVE-2026-43566 | CVE-2026-43566 CVSS 9.8 | OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carryi… |
| CVE-2026-43534 | CVE-2026-43534 CVSS 9.8 | OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can … |
| CVE-2026-43526 | CVE-2026-43526 CVSS 9.3 | OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary conte… |
| CVE-2026-43515 | CVE-2026-43515 CVSS 9.1 | Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache… |
| CVE-2026-43512 | CVE-2026-43512 CVSS 9.8 | DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.… |
| CVE-2026-43493 | CVE-2026-43493 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAY_BACKLOG requests MAY_BACKLOG requests can return EBU… |
| CVE-2026-43465 | CVE-2026-43465 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can… |
| CVE-2026-43414 | CVE-2026-43414 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is s… |
| CVE-2026-43407 | CVE-2026-43407 CVSS 9.1 | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes … |
| CVE-2026-43406 | CVE-2026-43406 CVSS 9.1 | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message… |
| CVE-2026-43402 | CVE-2026-43402 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported cras… |
| CVE-2026-43384 | CVE-2026-43384 CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need t… |
| CVE-2026-43383 | CVE-2026-43383 CVSS 9.4linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need … |