31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 751–800 of 8,161 in High · page 16 of 164
| ID | Title | Summary |
|---|---|---|
| CVE-2026-44553 | CVE-2026-44553 CVSS 8.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletio… |
| CVE-2026-44552 | CVE-2026-44552 CVSS 8.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys i… |
| CVE-2026-4455 | CVE-2026-4455 CVSS 8.8 | Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file… |
| CVE-2026-44549 | CVE-2026-44549 CVSS 8.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an u… |
| CVE-2026-44548 | CVE-2026-44548 CVSS 8.1 | ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.… |
| CVE-2026-4454 | CVE-2026-4454 CVSS 8.8 | Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (C… |
| CVE-2026-4452 | CVE-2026-4452 CVSS 8.8 | Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HT… |
| CVE-2026-44513 | CVE-2026-44513 CVSS 8.8 | Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary … |
| CVE-2026-4451 | CVE-2026-4451 CVSS 8.8 | Insufficient validation of untrusted input in Navigation in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer pr… |
| CVE-2026-4450 | CVE-2026-4450 CVSS 8.8 | Out of bounds write in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (C… |
| CVE-2026-4449 | CVE-2026-4449 CVSS 8.8 | Use after free in Blink in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chr… |
| CVE-2026-4448 | CVE-2026-4448 CVSS 8.8 | Heap buffer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page… |
| CVE-2026-4447 | CVE-2026-4447 CVSS 8.8google | Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted … |
| CVE-2026-4446 | CVE-2026-4446 CVSS 8.8 | Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Ch… |
| CVE-2026-4445 | CVE-2026-4445 CVSS 8.8 | Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Ch… |
| CVE-2026-4444 | CVE-2026-4444 CVSS 8.8 | Stack buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML p… |
| CVE-2026-4443 | CVE-2026-4443 CVSS 8.8 | Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HT… |
| CVE-2026-4442 | CVE-2026-4442 CVSS 8.8 | Heap buffer overflow in CSS in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. … |
| CVE-2026-4441 | CVE-2026-4441 CVSS 8.8 | Use after free in Base in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chro… |
| CVE-2026-44400 | CVE-2026-44400 CVSS 8.1mailenable | MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass … |
| CVE-2026-4440 | CVE-2026-4440 CVSS 8.8 | Out of bounds read and write in WebGL in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform arbitrary read/write via a crafted HTML pag… |
| CVE-2026-4439 | CVE-2026-4439 CVSS 8.8 | Out of bounds memory access in WebGL in Google Chrome on Android prior to 146.0.7680.153 allowed a remote attacker to potentially perform a sandbox escape via … |
| CVE-2026-4436 | CVE-2026-4436 CVSS 8.6 | A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or t… |
| CVE-2026-4434 | CVE-2026-4434 CVSS 8.1 | Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS cer… |
| CVE-2026-44339 | CVE-2026-44339 CVSS 8.6 | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names a… |
| CVE-2026-44334 | CVE-2026-44334 CVSS 8.4 | PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_… |
| CVE-2026-44331 | CVE-2026-44331 CVSS 8.1 | In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inj… |
| CVE-2026-44304 | CVE-2026-44304 CVSS 8.1 | Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitize… |
| CVE-2026-44301 | CVE-2026-44301 CVSS 8.1 | Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hug… |
| CVE-2026-44295 | CVE-2026-44295 CVSS 8.7 | protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers deriv… |
| CVE-2026-44293 | CVE-2026-44293 CVSS 8.8 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion coul… |
| CVE-2026-44291 | CVE-2026-44291 CVSS 8.1 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for … |
| CVE-2026-44260 | CVE-2026-44260 CVSS 8.1 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. Wh… |
| CVE-2026-44224 | CVE-2026-44224 CVSS 8.8 | Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it direc… |
| CVE-2026-44184 | CVE-2026-44184 CVSS 8.0 | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.… |
| CVE-2026-44116 | CVE-2026-44116 CVSS 8.6 | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo UR… |
| CVE-2026-44115 | CVE-2026-44115 CVSS 8.8 | OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass al… |
| CVE-2026-44110 | CVE-2026-44110 CVSS 8.8 | OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Att… |
| CVE-2026-44051 | CVE-2026-44051 CVSS 8.1 | An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary… |
| CVE-2026-44048 | CVE-2026-44048 CVSS 8.8 | A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute a… |
| CVE-2026-44047 | CVE-2026-44047 CVSS 8.8 | An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access t… |
| CVE-2026-44001 | CVE-2026-44001 CVSS 8.6 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.j… |
| CVE-2026-43998 | CVE-2026-43998 CVSS 8.5 | vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed c… |
| CVE-2026-43993 | CVE-2026-43993 CVSS 8.2 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch() on agent-supplied URLs … |
| CVE-2026-43991 | CVE-2026-43991 CVSS 8.4 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be … |
| CVE-2026-43990 | CVE-2026-43990 CVSS 8.4 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c'… |
| CVE-2026-43989 | CVE-2026-43989 CVSS 8.5 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and upl… |
| CVE-2026-43983 | CVE-2026-43983 CVSS 8.1 | Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function … |
| CVE-2026-4396 | CVE-2026-4396 CVSS 8.1 | Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack v… |
| CVE-2026-43940 | CVE-2026-43940 CVSS 8.4 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/lo… |