31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 901–950 of 8,161 in High · page 19 of 164
| ID | Title | Summary |
|---|---|---|
| CVE-2026-42434 | CVE-2026-42434 CVSS 8.8 | OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. … |
| CVE-2026-42431 | CVE-2026-42431 CVSS 8.1 | OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers … |
| CVE-2026-42426 | CVE-2026-42426 CVSS 8.8 | OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrow… |
| CVE-2026-42422 | CVE-2026-42422 CVSS 8.8 | OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers ca… |
| CVE-2026-42406 | CVE-2026-42406 CVSS 8.7 | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify con… |
| CVE-2026-42375 | CVE-2026-42375 CVSS 8.8 | D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the… |
| CVE-2026-42374 | CVE-2026-42374 CVSS 8.8 | D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the… |
| CVE-2026-42373 | CVE-2026-42373 CVSS 8.8 | D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh wit… |
| CVE-2026-42372 | CVE-2026-42372 CVSS 8.8 | D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh wit… |
| CVE-2026-42364 | CVE-2026-42364 CVSS 9.9geovision | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can… |
| CVE-2026-42353 | CVE-2026-42353 CVSS 8.2 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-… |
| CVE-2026-42352 | CVE-2026-42352 CVSS 8.6 | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests… |
| CVE-2026-42313 | CVE-2026-42313 CVSS 8.3 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) i… |
| CVE-2026-42297 | CVE-2026-42297 CVSS 8.3 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, th… |
| CVE-2026-42296 | CVE-2026-42296 CVSS 8.1 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user wit… |
| CVE-2026-42289 | CVE-2026-42289 CVSS 8.8 | ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_… |
| CVE-2026-42281 | CVE-2026-42281 CVSS 8.6 | MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors… |
| CVE-2026-42275 | CVE-2026-42275 CVSS 8.7 | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path t… |
| CVE-2026-42271 | BerriAI LiteLLM Command Injection Vulnerability KEVCVSS 8.8BerriAI | BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to r… |
| CVE-2026-42266 | CVE-2026-42266 CVSS 8.8 | JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-… |
| CVE-2026-42260 | CVE-2026-42260 CVSS 8.2 | Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHt… |
| CVE-2026-42239 | CVE-2026-42239 CVSS 8.1budibase | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false a… |
| CVE-2026-42237 | CVE-2026-42237 CVSS 8.8 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake… |
| CVE-2026-42234 | CVE-2026-42234 CVSS 8.8 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify w… |
| CVE-2026-42232 | CVE-2026-42232 CVSS 8.8 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify w… |
| CVE-2026-42231 | CVE-2026-42231 CVSS 8.8 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodi… |
| CVE-2026-42229 | CVE-2026-42229 CVSS 8.8 | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operat… |
| CVE-2026-42215 | CVE-2026-42215 CVSS 8.8 | GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such… |
| CVE-2026-42205 | CVE-2026-42205 CVSS 8.8 | Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsC… |
| CVE-2026-42203 | CVE-2026-42203 CVSS 8.8 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endp… |
| CVE-2026-42167 | CVE-2026-42167 CVSS 8.1 | mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an… |
| CVE-2026-42088 | CVE-2026-42088 CVSS 8.1 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script … |
| CVE-2026-42084 | CVE-2026-42084 CVSS 8.1 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3,… |
| CVE-2026-4208 | CVE-2026-4208 CVSS 8.8 | The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by … |
| CVE-2026-42079 | CVE-2026-42079 CVSS 8.6 | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python e… |
| CVE-2026-42075 | CVE-2026-42075 CVSS 8.1 | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allo… |
| CVE-2026-42047 | CVE-2026-42047 CVSS 8.6 | Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.… |
| CVE-2026-42013 | CVE-2026-42013 CVSS 8.2 | A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall ba… |
| CVE-2026-42000 | CVE-2026-42000 CVSS 8.6 | Insufficient Validation of Names During AXFR |
| CVE-2026-41964 | CVE-2026-41964 CVSS 8.4 | Permission control vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability. |
| CVE-2026-41957 | CVE-2026-41957 CVSS 8.8 | An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versio… |
| CVE-2026-41953 | CVE-2026-41953 CVSS 8.7 | A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configurati… |
| CVE-2026-41938 | CVE-2026-41938 CVSS 8.8 | Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload p… |
| CVE-2026-41936 | CVE-2026-41936 CVSS 8.1 | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_adm… |
| CVE-2026-41934 | CVE-2026-41934 CVSS 8.8 | Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated use… |
| CVE-2026-41914 | CVE-2026-41914 CVSS 8.5 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit… |
| CVE-2026-41900 | CVE-2026-41900 CVSS 8.8 | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identifie… |
| CVE-2026-41883 | CVE-2026-41883 CVSS 8.1 | OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Co… |
| CVE-2026-4188 | CVE-2026-4188 CVSS 8.8 | A security flaw has been discovered in D-Link DIR-619L 2.06B01. The affected element is the function formSchedule of the file /goform/formSchedule of the compo… |
| CVE-2026-41713 | CVE-2026-41713 CVSS 8.2 | A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affect… |