Search
6,811 CVEs
CVEs (6,811, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 426–450 of 6,811 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-45323 | CRITICAL | Patched | 9.6 | 2026-05-28 | MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node… |
| CVE-2026-45374 | CRITICAL | Patched | 9.6 | 2026-05-28 | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell def… |
| CVE-2026-45570 | CRITICAL | Patched | 9.6 | 2026-05-27 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapp… |
| CVE-2026-44985 | CRITICAL | Patched | 9.6 | 2026-05-26 | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bo… |
| CVE-2026-39821 | CRITICAL | Patched | 9.6 | 2026-05-22 | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly re… |
| CVE-2026-8670 | CRITICAL | Patched | 9.6 | 2026-05-22 | Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra:… |
| CVE-2026-2587 | CRITICAL | Patched | 9.6 | 2026-05-19 | A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application pr… |
| CVE-2026-8959 | CRITICAL | Patched | 9.6 | 2026-05-19 | Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Th… |
| CVE-2026-8953 | CRITICAL | Patched | 9.6 | 2026-05-19 | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbi… |
| CVE-2026-2611 | CRITICAL | Patched | 9.6 | 2026-05-19 | In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to explo… |
| CVE-2026-8580 | CRITICAL | Patched | 9.6 | 2026-05-14 | Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium securit… |
| CVE-2026-8511 | CRITICAL | Patched | 9.6 | 2026-05-14 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security … |
| CVE-2026-41615 | CRITICAL | Patched | 9.6 | 2026-05-14 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-44482 | CRITICAL | Patched | 9.6 | 2026-05-14 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed … |
| CVE-2026-42557 | CRITICAL | Patched | 9.6 | 2026-05-13 | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer … |
| CVE-2026-44547 | CRITICAL | Patched | 9.6 | 2026-05-12 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripp… |
| CVE-2026-34659 | CRITICAL | Patched | 9.6 | 2026-05-12 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in … |
| CVE-2026-42048 | CRITICAL | Patched | 9.6 | 2026-05-12 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /… |
| CVE-2026-8043 | CRITICAL | Patched | 9.6 | 2026-05-12 | External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a… |
| CVE-2026-34260 | CRITICAL | 9.6 | 2026-05-12 | SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-co… | |
| CVE-2026-34263 | CRITICAL | 9.6 | 2026-05-12 | Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side co… | |
| CVE-2026-45321 | CRITICAL | 9.6 | 2026-05-12 | On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authen… | |
| CVE-2026-43899 | CRITICAL | Patched | 9.6 | 2026-05-11 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-5573… |
| CVE-2026-47430 | NONE | Patched | — | 2026-06-08 | ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` wi… |
| CVE-2026-8467 | NONE | Patched | — | 2026-05-20 | Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template … |