31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 951–1,000 of 8,161 in High · page 20 of 164
| ID | Title | Summary |
|---|---|---|
| CVE-2026-41705 | CVE-2026-41705 CVSS 8.6 | Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affecte… |
| CVE-2026-41693 | CVE-2026-41693 CVSS 8.2 | i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-ba… |
| CVE-2026-41690 | CVE-2026-41690 CVSS 8.6 | 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unaut… |
| CVE-2026-41683 | CVE-2026-41683 CVSS 8.6 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-… |
| CVE-2026-41670 | CVE-2026-41670 CVSS 8.2 | Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServi… |
| CVE-2026-4167 | CVE-2026-4167 CVSS 8.8 | A vulnerability was determined in Belkin F9K1122 1.00.33. This affects the function formReboot of the file /goform/formReboot. This manipulation of the argumen… |
| CVE-2026-41669 | CVE-2026-41669 CVSS 8.2 | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its … |
| CVE-2026-41654 | CVE-2026-41654 CVSS 8.1 | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for an… |
| CVE-2026-41651 | CVE-2026-41651 CVSS 8.8 | PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit betw… |
| CVE-2026-41640 | CVE-2026-41640 CVSS 8.8 | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() … |
| CVE-2026-41613 | CVE-2026-41613 CVSS 8.8 | Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-41604 | CVE-2026-41604 CVSS 8.2 | Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which… |
| CVE-2026-41588 | CVE-2026-41588 CVSS 8.1 | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue h… |
| CVE-2026-41524 | CVE-2026-41524 CVSS 8.7 | Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the… |
| CVE-2026-41505 | CVE-2026-41505 CVSS 8.7 | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() functio… |
| CVE-2026-41496 | CVE-2026-41496 CVSS 8.1 | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation … |
| CVE-2026-41491 | CVE-2026-41491 CVSS 8.1 | Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to be… |
| CVE-2026-41490 | CVE-2026-41490 CVSS 8.3 | Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster… |
| CVE-2026-41489 | CVE-2026-41489 CVSS 8.8 | Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1,… |
| CVE-2026-41486 | CVE-2026-41486 CVSS 8.8 | Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arr… |
| CVE-2026-4148 | CVE-2026-4148 CVSS 8.8 | A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $grap… |
| CVE-2026-41476 | CVE-2026-41476 CVSS 8.8 | Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a conne… |
| CVE-2026-41468 | CVE-2026-41468 CVSS 8.7 | Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection … |
| CVE-2026-41463 | CVE-2026-41463 CVSS 8.8 | ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers wit… |
| CVE-2026-41461 | CVE-2026-41461 CVSS 8.5 | SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input pa… |
| CVE-2026-41455 | CVE-2026-41455 CVSS 8.5 | WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string withou… |
| CVE-2026-41454 | CVE-2026-41454 CVSS 8.3 | WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform admin… |
| CVE-2026-41445 | CVE-2026-41445 CVSS 8.8 | KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calcula… |
| CVE-2026-41433 | CVE-2026-41433 CVSS 8.4 | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent inje… |
| CVE-2026-41432 | CVE-2026-41432 CVSS 8.2 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in th… |
| CVE-2026-41431 | CVE-2026-41431 CVSS 8.0 | Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR sig… |
| CVE-2026-41429 | CVE-2026-41429 CVSS 8.8 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reach… |
| CVE-2026-41422 | CVE-2026-41422 CVSS 8.3 | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were pass… |
| CVE-2026-41421 | CVE-2026-41421 CVSS 8.8 | SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron rend… |
| CVE-2026-41404 | CVE-2026-41404 CVSS 8.8 | OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalat… |
| CVE-2026-41394 | CVE-2026-41394 CVSS 8.2 | OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. … |
| CVE-2026-41383 | CVE-2026-41383 CVSS 8.1 | OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencin… |
| CVE-2026-41378 | CVE-2026-41378 CVSS 8.8 | OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestr… |
| CVE-2026-41371 | CVE-2026-41371 CVSS 8.5 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session res… |
| CVE-2026-41364 | CVE-2026-41364 CVSS 8.1 | OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers… |
| CVE-2026-41359 | CVE-2026-41359 CVSS 8.8 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram … |
| CVE-2026-41353 | CVE-2026-41353 CVSS 8.1 | OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions… |
| CVE-2026-41352 | CVE-2026-41352 CVSS 8.8 | OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. At… |
| CVE-2026-41349 | CVE-2026-41349 CVSS 8.8 | OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch paramete… |
| CVE-2026-41344 | CVE-2026-41344 CVSS 8.8 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-onl… |
| CVE-2026-41342 | CVE-2026-41342 CVSS 8.1 | OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints … |
| CVE-2026-41326 | CVE-2026-41326 CVSS 8.2 | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0… |
| CVE-2026-41325 | CVE-2026-41325 CVSS 8.8 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in… |
| CVE-2026-41316 | CVE-2026-41316 CVSS 8.1 | ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result`… |
| CVE-2026-41309 | CVE-2026-41309 CVSS 8.2 | Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An a… |