31,509 indexed
CVECVE vulnerabilities
31,509 CVEs indexed — newest first. Filter by CVSS severity or CISA KEV listing; KEV-flagged entries surface a rose pill. Authored by Adam Lundqvist.
Showing 1,301–1,350 of 8,161 in High · page 27 of 164
| ID | Title | Summary |
|---|---|---|
| CVE-2026-35645 | CVE-2026-35645 CVSS 8.8 | OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic op… |
| CVE-2026-35643 | CVE-2026-35643 CVSS 8.8 | OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted page… |
| CVE-2026-35639 | CVE-2026-35639 CVSS 8.8 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve p… |
| CVE-2026-35638 | CVE-2026-35638 CVSS 8.8 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileg… |
| CVE-2026-35627 | CVE-2026-35627 CVSS 8.2 | OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation… |
| CVE-2026-3562 | CVE-2026-3562 CVSS 8.8 | Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute a… |
| CVE-2026-35610 | CVE-2026-35610 CVSS 8.8 | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the accou… |
| CVE-2026-3561 | CVE-2026-3561 CVSS 8.0 | Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers … |
| CVE-2026-35607 | CVE-2026-35607 CVSS 8.8 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the f… |
| CVE-2026-35604 | CVE-2026-35604 CVSS 8.1 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when … |
| CVE-2026-3560 | CVE-2026-3560 CVSS 8.8 | Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent a… |
| CVE-2026-35595 | CVE-2026-35595 CVSS 8.3 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires … |
| CVE-2026-3559 | CVE-2026-3559 CVSS 8.1 | Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass … |
| CVE-2026-35587 | CVE-2026-35587 CVSS 8.8 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glanc… |
| CVE-2026-35582 | CVE-2026-35582 CVSS 8.8 | Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it int… |
| CVE-2026-3558 | CVE-2026-3558 CVSS 8.1 | Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers … |
| CVE-2026-35577 | CVE-2026-35577 CVSS 8.1 | Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not valida… |
| CVE-2026-35576 | CVE-2026-35576 CVSS 8.7 | ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person P… |
| CVE-2026-35575 | CVE-2026-35575 CVSS 8.0 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creat… |
| CVE-2026-35574 | CVE-2026-35574 CVSS 8.7 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authe… |
| CVE-2026-35570 | CVE-2026-35570 CVSS 8.4 | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHas… |
| CVE-2026-3557 | CVE-2026-3557 CVSS 8.0 | Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-ad… |
| CVE-2026-35569 | CVE-2026-35569 CVSS 8.7 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related… |
| CVE-2026-3556 | CVE-2026-3556 CVSS 8.8 | Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to e… |
| CVE-2026-35554 | CVE-2026-35554 CVSS 8.7 | A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a pro… |
| CVE-2026-3555 | CVE-2026-3555 CVSS 8.0 | Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjace… |
| CVE-2026-35548 | CVE-2026-35548 CVSS 8.5 | An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored d… |
| CVE-2026-35547 | CVE-2026-35547 CVSS 8.1 | When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to wr… |
| CVE-2026-35545 | CVE-2026-35545 CVSS 8.2 | An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. … |
| CVE-2026-35521 | CVE-2026-35521 CVSS 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine conta… |
| CVE-2026-35520 | CVE-2026-35520 CVSS 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine conta… |
| CVE-2026-35519 | CVE-2026-35519 CVSS 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine conta… |
| CVE-2026-35518 | CVE-2026-35518 CVSS 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine conta… |
| CVE-2026-35517 | CVE-2026-35517 CVSS 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine conta… |
| CVE-2026-35512 | CVE-2026-35512 CVSS 8.8 | xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due … |
| CVE-2026-35488 | CVE-2026-35488 CVSS 8.1 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewS… |
| CVE-2026-35478 | CVE-2026-35478 CVSS 8.1 | InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed … |
| CVE-2026-35470 | CVE-2026-35470 CVSS 8.8 | OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different module… |
| CVE-2026-35463 | CVE-2026-35463 CVSS 8.8 | pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts securi… |
| CVE-2026-35457 | CVE-2026-35457 CVSS 8.2 | libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies witho… |
| CVE-2026-35446 | CVE-2026-35446 CVSS 8.6 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. … |
| CVE-2026-35442 | CVE-2026-35442 CVSS 8.1 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the co… |
| CVE-2026-3544 | CVE-2026-3544 CVSS 8.8 | Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTM… |
| CVE-2026-35439 | CVE-2026-35439 CVSS 8.8 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
| CVE-2026-35438 | CVE-2026-35438 CVSS 8.3 | Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-35436 | CVE-2026-35436 CVSS 8.8microsoft | Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally. |
| CVE-2026-35430 | CVE-2026-35430 CVSS 8.8 | Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a netwo… |
| CVE-2026-3543 | CVE-2026-3543 CVSS 8.8 | Inappropriate implementation in V8 in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a … |
| CVE-2026-3542 | CVE-2026-3542 CVSS 8.8 | Inappropriate implementation in WebAssembly in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a cra… |
| CVE-2026-35414 | CVE-2026-35414 CVSS 8.1 | OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Author… |