Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 401–425 of 31,027 (capped at 500)
| CVE ID ↓ | Severity | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-45375 | CRITICAL | Patched | 9.0 | 2026-05-14 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's pl… |
| CVE-2026-45374 | CRITICAL | Patched | 9.6 | 2026-05-28 | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell def… |
| CVE-2026-45372 | CRITICAL | Patched | 9.9 | 2026-05-29 | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-… |
| CVE-2026-45323 | CRITICAL | Patched | 9.6 | 2026-05-28 | MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node… |
| CVE-2026-45321 | CRITICAL | 9.6 | 2026-05-12 | On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authen… | |
| CVE-2026-45312 | CRITICAL | 9.9 | 2026-05-29 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py)… | |
| CVE-2026-45311 | CRITICAL | Patched | 9.6 | 2026-05-28 | CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meani… |
| CVE-2026-45288 | CRITICAL | Patched | 9.8 | 2026-05-28 | Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter… |
| CVE-2026-45247 | CRITICAL | Patched | 9.8 | 2026-05-26 | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote c… |
| CVE-2026-45230 | CRITICAL | 9.1 | 2026-05-18 | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attac… | |
| CVE-2026-45185 | CRITICAL | Patched | 9.8 | 2026-05-12 | Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close… |
| CVE-2026-45158 | CRITICAL | Patched | 9.1 | 2026-05-13 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is… |
| CVE-2026-45132 | CRITICAL | 10.0 | 2026-06-01 | CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials… | |
| CVE-2026-45131 | CRITICAL | 10.0 | 2026-06-01 | CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled cod… | |
| CVE-2026-45102 | CRITICAL | Patched | 9.9 | 2026-05-27 | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not desig… |
| CVE-2026-45091 | CRITICAL | Patched | 9.1 | 2026-05-12 | sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alph… |
| CVE-2026-45087 | CRITICAL | Patched | 10.0 | 2026-05-27 | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server … |
| CVE-2026-45083 | CRITICAL | Patched | 9.8 | 2026-05-27 | The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /ap… |
| CVE-2026-45053 | CRITICAL | Patched | 9.1 | 2026-05-13 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/… |
| CVE-2026-45039 | CRITICAL | Patched | 9.8 | 2026-05-28 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using … |
| CVE-2026-45010 | CRITICAL | Patched | 9.1 | 2026-05-15 | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id para… |
| CVE-2026-44985 | CRITICAL | Patched | 9.6 | 2026-05-26 | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bo… |
| CVE-2026-44962 | CRITICAL | 9.9 | 2026-05-29 | Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without pr… | |
| CVE-2026-44888 | CRITICAL | Patched | 9.8 | 2026-05-27 | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values… |
| CVE-2026-44887 | CRITICAL | Patched | 9.8 | 2026-05-27 | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be in… |