Search
59,162 CVEs
CVEs (59,162, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 401–425 of 59,162 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-42823 | CRITICAL | 9.9 | 2026-05-12 | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-42864 | CRITICAL | Patched | 9.9 | 2026-05-11 | FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authenticat… |
| CVE-2026-7813 | CRITICAL | Patched | 9.9 | 2026-05-11 | Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetch… |
| CVE-2026-42454 | CRITICAL | Patched | 9.9 | 2026-05-08 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoi… |
| CVE-2026-41512 | CRITICAL | Patched | 9.9 | 2026-05-08 | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript in… |
| CVE-2025-69691 | CRITICAL | 9.9 | 2026-05-08 | Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and… | |
| CVE-2026-33109 | CRITICAL | 9.9 | 2026-05-07 | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | |
| CVE-2026-42809 | CRITICAL | Patched | 9.9 | 2026-05-04 | Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reser… |
| CVE-2026-42810 | CRITICAL | Patched | 9.9 | 2026-05-04 | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same charact… |
| CVE-2026-42811 | CRITICAL | Patched | 9.9 | 2026-05-04 | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those … |
| CVE-2026-42812 | CRITICAL | Patched | 9.9 | 2026-05-04 | In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.… |
| CVE-2026-29200 | NONE | — | 2026-05-04 | A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator … | |
| CVE-2026-42368 | CRITICAL | 9.9 | 2026-05-04 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute privi… | |
| CVE-2026-42364 | CRITICAL | 9.9 | 2026-05-04 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbi… | |
| CVE-2026-40453 | CRITICAL | Patched | 9.9 | 2026-04-27 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alon… |
| CVE-2026-41478 | CRITICAL | Patched | 9.9 | 2026-04-24 | Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sy… |
| CVE-2026-21515 | CRITICAL | 9.9 | 2026-04-24 | Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-40472 | CRITICAL | 9.9 | 2026-04-23 | In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS)… | |
| CVE-2026-40470 | CRITICAL | 9.9 | 2026-04-23 | A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facilit… | |
| CVE-2026-41228 | CRITICAL | Patched | 9.9 | 2026-04-23 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_… |
| CVE-2026-40933 | CRITICAL | Patched | 9.9 | 2026-04-21 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, a… |
| CVE-2026-40906 | CRITICAL | Patched | 9.9 | 2026-04-21 | Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowin… |
| CVE-2026-41329 | CRITICAL | Patched | 9.9 | 2026-04-21 | OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter ma… |
| CVE-2026-32604 | CRITICAL | Patched | 9.9 | 2026-04-20 | Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary co… |
| CVE-2026-32613 | CRITICAL | Patched | 9.9 | 2026-04-20 | Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specif… |