Search
59,162 CVEs
CVEs (59,162, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 376–400 of 59,162 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-46839 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privilege… |
| CVE-2026-46822 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily ex… |
| CVE-2026-46824 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affec… |
| CVE-2026-46775 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privilege… |
| CVE-2026-44477 | CRITICAL | Patched | 9.9 | 2026-05-28 | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its… |
| CVE-2026-9813 | CRITICAL | Patched | 9.9 | 2026-05-28 | FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker… |
| CVE-2026-45102 | CRITICAL | Patched | 9.9 | 2026-05-27 | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not desig… |
| CVE-2026-46425 | CRITICAL | Patched | 9.9 | 2026-05-27 | Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (… |
| CVE-2026-42756 | CRITICAL | 9.9 | 2026-05-27 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP |… | |
| CVE-2026-42757 | CRITICAL | 9.9 | 2026-05-27 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traver… | |
| CVE-2026-42748 | CRITICAL | 9.9 | 2026-05-27 | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czec… | |
| CVE-2026-44450 | CRITICAL | Patched | 9.9 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forw… |
| CVE-2026-46624 | CRITICAL | Patched | 9.9 | 2026-05-26 | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQ… |
| CVE-2026-7374 | CRITICAL | 9.9 | 2026-05-26 | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit impr… | |
| CVE-2026-40411 | CRITICAL | 9.9 | 2026-05-22 | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | |
| CVE-2026-44050 | CRITICAL | 9.9 | 2026-05-21 | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with es… | |
| CVE-2026-33642 | CRITICAL | Patched | 9.9 | 2026-05-19 | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composit… |
| CVE-2026-27130 | CRITICAL | Patched | 9.9 | 2026-05-18 | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause thi… |
| CVE-2026-44774 | CRITICAL | Patched | 9.9 | 2026-05-15 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation p… |
| CVE-2026-44442 | CRITICAL | Patched | 9.9 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to mod… |
| CVE-2026-43999 | CRITICAL | Patched | 9.9 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard… |
| CVE-2026-41050 | CRITICAL | 9.9 | 2026-05-13 | Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read sec… | |
| CVE-2026-43948 | CRITICAL | Patched | 9.9 | 2026-05-12 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization… |
| CVE-2026-42196 | NONE | Patched | — | 2026-05-12 | django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attac… |
| CVE-2026-42898 | CRITICAL | Patched | 9.9 | 2026-05-12 | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. |