Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 451–475 of 31,027 (capped at 500)
| CVE ID | Severity | Patch | CVSS | Published ↓ | Description |
|---|---|---|---|---|---|
| CVE-2026-44592 | CRITICAL | Patched | 9.4 | 2026-05-14 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto ca… |
| CVE-2026-44523 | CRITICAL | Patched | 10.0 | 2026-05-14 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accept… |
| CVE-2026-41315 | CRITICAL | Patched | 9.8 | 2026-05-14 | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentica… |
| CVE-2026-44542 | CRITICAL | Patched | 9.1 | 2026-05-14 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path … |
| CVE-2026-41615 | CRITICAL | Patched | 9.6 | 2026-05-14 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-42555 | CRITICAL | Patched | 9.1 | 2026-05-14 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 1… |
| CVE-2026-20182 | CRITICAL | Patched | 10.0 | 2026-05-14 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This … |
| CVE-2026-42596 | CRITICAL | Patched | 9.4 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassab… |
| CVE-2026-42589 | CRITICAL | Patched | 9.8 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and pa… |
| CVE-2026-44484 | CRITICAL | 9.8 | 2026-05-14 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harve… | |
| CVE-2026-44482 | CRITICAL | Patched | 9.6 | 2026-05-14 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed … |
| CVE-2026-42457 | CRITICAL | Patched | 9.0 | 2026-05-14 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is… |
| CVE-2026-2347 | CRITICAL | Patched | 9.8 | 2026-05-14 | Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue af… |
| CVE-2025-11024 | CRITICAL | Patched | 9.8 | 2026-05-14 | Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allo… |
| CVE-2026-6512 | CRITICAL | 9.1 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying … | |
| CVE-2026-6510 | CRITICAL | 9.8 | 2026-05-14 | The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing … | |
| CVE-2026-6271 | CRITICAL | 9.8 | 2026-05-14 | The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing f… | |
| CVE-2026-8181 | CRITICAL | 9.8 | 2026-05-14 | The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to … | |
| CVE-2026-8500 | CRITICAL | 9.8 | 2026-05-13 | Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user p… | |
| CVE-2026-45158 | CRITICAL | Patched | 9.1 | 2026-05-13 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is… |
| CVE-2026-44442 | CRITICAL | Patched | 9.9 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to mod… |
| CVE-2026-44194 | CRITICAL | Patched | 9.1 | 2026-05-13 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user wi… |
| CVE-2026-44193 | CRITICAL | Patched | 9.1 | 2026-05-13 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading … |
| CVE-2026-45714 | CRITICAL | Patched | 9.1 | 2026-05-13 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (inc… |
| CVE-2026-45053 | CRITICAL | Patched | 9.1 | 2026-05-13 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/… |