Search
31,034 CVEs · Critical severity
CVEs (31,034, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 401–425 of 31,034 (capped at 500)
| CVE ID | Severity ↑ | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-31071 | CRITICAL | 9.1 | 2026-05-19 | API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user … | |
| CVE-2026-31072 | CRITICAL | 9.8 | 2026-05-19 | The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization.… | |
| CVE-2026-30117 | CRITICAL | 9.8 | 2026-05-19 | scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability… | |
| CVE-2026-44159 | CRITICAL | 9.8 | 2026-05-19 | Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been dis… | |
| CVE-2026-2586 | CRITICAL | Patched | 9.1 | 2026-05-19 | An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests t… |
| CVE-2026-2587 | CRITICAL | Patched | 9.6 | 2026-05-19 | A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application pr… |
| CVE-2026-8959 | CRITICAL | Patched | 9.6 | 2026-05-19 | Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Th… |
| CVE-2026-8948 | CRITICAL | Patched | 9.1 | 2026-05-19 | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. |
| CVE-2026-8950 | CRITICAL | Patched | 9.3 | 2026-05-19 | Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
| CVE-2026-8953 | CRITICAL | Patched | 9.6 | 2026-05-19 | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbi… |
| CVE-2026-8956 | CRITICAL | Patched | 9.8 | 2026-05-19 | Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
| CVE-2026-47323 | CRITICAL | Patched | 9.8 | 2026-05-19 | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in c… |
| CVE-2026-43633 | CRITICAL | 10.0 | 2026-05-19 | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that… | |
| CVE-2026-4883 | CRITICAL | 9.8 | 2026-05-19 | The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all ve… | |
| CVE-2026-43493 | CRITICAL | 9.8 | 2026-05-19 | In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAY_BACKLOG requests MAY_BACKLOG requests can return EBUSY. Handle t… | |
| CVE-2026-31986 | CRITICAL | Patched | 9.1 | 2026-05-19 | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06,… |
| CVE-2026-41919 | CRITICAL | Patched | 9.1 | 2026-05-19 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. User… |
| CVE-2026-45434 | CRITICAL | Patched | 9.8 | 2026-05-19 | Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Us… |
| CVE-2026-2611 | CRITICAL | Patched | 9.6 | 2026-05-19 | In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to explo… |
| CVE-2026-4885 | CRITICAL | 9.8 | 2026-05-19 | The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' functio… | |
| CVE-2026-8838 | CRITICAL | Patched | 9.8 | 2026-05-18 | Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle … |
| CVE-2026-25244 | CRITICAL | Patched | 9.8 | 2026-05-18 | WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection… |
| CVE-2026-27130 | CRITICAL | Patched | 9.9 | 2026-05-18 | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause thi… |
| CVE-2026-8836 | CRITICAL | 9.8 | 2026-05-18 | A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. P… | |
| CVE-2026-45230 | CRITICAL | 9.1 | 2026-05-18 | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attac… |