31,467 indexed
CVECVE vulnerabilities
31,467 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,001–1,050 of 8,161 in High · page 21 of 164
| ID | Title | Summary |
|---|---|---|
| CVE-2026-41303 | CVE-2026-41303 CVSS 8.8 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec ap… |
| CVE-2026-41296 | CVE-2026-41296 CVSS 8.2 | OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Att… |
| CVE-2026-41294 | CVE-2026-41294 CVSS 8.6 | OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attack… |
| CVE-2026-41277 | CVE-2026-41277 CVSS 8.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore c… |
| CVE-2026-41273 | CVE-2026-41273 CVSS 8.2 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerabilit… |
| CVE-2026-41271 | CVE-2026-41271 CVSS 8.3 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exi… |
| CVE-2026-41270 | CVE-2026-41270 CVSS 8.3 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass… |
| CVE-2026-41269 | CVE-2026-41269 CVSS 8.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be… |
| CVE-2026-41246 | CVE-2026-41246 CVSS 8.1 | Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulne… |
| CVE-2026-41230 | CVE-2026-41230 CVSS 8.5 | Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and … |
| CVE-2026-41208 | CVE-2026-41208 CVSS 8.8 | Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain… |
| CVE-2026-41175 | CVE-2026-41175 CVSS 8.1 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and… |
| CVE-2026-41147 | CVE-2026-41147 CVSS 8.7 | NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient s… |
| CVE-2026-41145 | CVE-2026-41145 CVSS 8.2 | MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass… |
| CVE-2026-41143 | CVE-2026-41143 CVSS 8.8 | YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManag… |
| CVE-2026-41142 | CVE-2026-41142 CVSS 8.8 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions … |
| CVE-2026-41139 | CVE-2026-41139 CVSS 8.8 | Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the exp… |
| CVE-2026-41138 | CVE-2026-41138 CVSS 8.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in Airt… |
| CVE-2026-41137 | CVE-2026-41137 CVSS 8.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read… |
| CVE-2026-41133 | CVE-2026-41133 CVSS 8.8 | pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at… |
| CVE-2026-41113 | CVE-2026-41113 CVSS 8.1 | sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c. |
| CVE-2026-41109 | CVE-2026-41109 CVSS 8.8 | Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized a… |
| CVE-2026-41105 | CVE-2026-41105 CVSS 8.1 | Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-41094 | CVE-2026-41094 CVSS 8.8 | Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network. |
| CVE-2026-41091 | Microsoft Defender Link Following Vulnerability KEVCVSS 7.8Microsoft | Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally. |
| CVE-2026-41086 | CVE-2026-41086 CVSS 8.8 | Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-41085 | CVE-2026-41085 CVSS 8.8 | Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access priv… |
| CVE-2026-41076 | CVE-2026-41076 CVSS 8.1 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication … |
| CVE-2026-41075 | CVE-2026-41075 CVSS 8.8 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerab… |
| CVE-2026-41059 | CVE-2026-41059 CVSS 8.2 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authenticatio… |
| CVE-2026-41058 | CVE-2026-41058 CVSS 8.1 | WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path … |
| CVE-2026-41056 | CVE-2026-41056 CVSS 8.1 | WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any ar… |
| CVE-2026-41044 | CVE-2026-41044 CVSS 8.8 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ … |
| CVE-2026-41038 | CVE-2026-41038 CVSS 8.8 | This vulnerability exists in Quantum Networks router due to lack of enforcement of strong password policies in the web-based management interface. An attacker … |
| CVE-2026-41037 | CVE-2026-41037 CVSS 8.8 | This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management … |
| CVE-2026-41036 | CVE-2026-41036 CVSS 8.8 | This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated re… |
| CVE-2026-41002 | CVE-2026-41002 CVSS 8.1 | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-che… |
| CVE-2026-40978 | CVE-2026-40978 CVSS 8.8 | SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions… |
| CVE-2026-40968 | CVE-2026-40968 CVSS 8.8 | When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a su… |
| CVE-2026-40967 | CVE-2026-40967 CVSS 8.6 | In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. … |
| CVE-2026-40960 | CVE-2026-40960 CVSS 8.1 | Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods,… |
| CVE-2026-4094 | CVE-2026-4094 CVSS 8.1 | The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the … |
| CVE-2026-40938 | CVE-2026-40938 CVSS 8.5 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2,… |
| CVE-2026-40937 | CVE-2026-40937 CVSS 8.3 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/han… |
| CVE-2026-40925 | CVE-2026-40925 CVSS 8.3 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists doz… |
| CVE-2026-4092 | CVE-2026-4092 CVSS 8.8 | Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project contain… |
| CVE-2026-40912 | CVE-2026-40912 CVSS 8.2 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerabi… |
| CVE-2026-40906 | CVE-2026-40906 CVSS 8.8 | Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injec… |
| CVE-2026-40905 | CVE-2026-40905 CVSS 8.1 | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to im… |
| CVE-2026-40904 | CVE-2026-40904 CVSS 8.1 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew expo… |