Search
4,947 CVEs · Critical severity
CVEs (4,947, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 276–300 of 4,947 (capped at 500)
| CVE ID | Severity | Patch | CVSS | Published ↓ | Description |
|---|---|---|---|---|---|
| CVE-2026-42755 | CRITICAL | 9.3 | 2026-05-27 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 TableOn posts-table-filterable allows Blind SQL Injection.T… | |
| CVE-2026-42748 | CRITICAL | 9.9 | 2026-05-27 | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czec… | |
| CVE-2026-42747 | CRITICAL | 9.3 | 2026-05-27 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL In… | |
| CVE-2026-42740 | CRITICAL | 9.3 | 2026-05-27 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affec… | |
| CVE-2026-42731 | CRITICAL | 9.8 | 2026-05-27 | Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange… | |
| CVE-2026-42727 | CRITICAL | 9.3 | 2026-05-27 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tabl… | |
| CVE-2026-49002 | CRITICAL | 9.1 | 2026-05-27 | Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissi… | |
| CVE-2025-12686 | CRITICAL | Patched | 9.8 | 2026-05-27 | Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to … |
| CVE-2026-8760 | CRITICAL | 9.8 | 2026-05-27 | The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-1117… | |
| CVE-2026-8450 | CRITICAL | Patched | 9.1 | 2026-05-27 | HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form inter… |
| CVE-2026-44985 | CRITICAL | Patched | 9.6 | 2026-05-26 | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bo… |
| CVE-2026-44451 | CRITICAL | Patched | 9.3 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function,… |
| CVE-2026-44450 | CRITICAL | Patched | 9.9 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forw… |
| CVE-2026-44449 | CRITICAL | Patched | 9.1 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and on… |
| CVE-2026-44444 | CRITICAL | Patched | 9.1 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running th… |
| CVE-2026-48689 | CRITICAL | Patched | 9.8 | 2026-05-26 | FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five meth… |
| CVE-2026-3660 | CRITICAL | 9.8 | 2026-05-26 | IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain un… | |
| CVE-2026-9170 | CRITICAL | 9.8 | 2026-05-26 | IBM HTTP Server 8.5, and 9.0 | |
| CVE-2026-8633 | CRITICAL | Patched | 9.8 | 2026-05-26 | IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulner… |
| CVE-2026-7251 | CRITICAL | 9.8 | 2026-05-26 | Eppendorf BioFlo 320 is vulnerable due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access … | |
| CVE-2026-46624 | CRITICAL | Patched | 9.9 | 2026-05-26 | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQ… |
| CVE-2026-44668 | CRITICAL | Patched | 9.8 | 2026-05-26 | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditio… |
| CVE-2026-48904 | CRITICAL | Patched | 9.8 | 2026-05-26 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. |
| CVE-2026-48902 | CRITICAL | Patched | 9.8 | 2026-05-26 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. |
| CVE-2026-48899 | CRITICAL | Patched | 9.8 | 2026-05-26 | An improper access check allows privilege escalation through the com_users batch task. |