Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 26–50 of 31,027 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-42960 | CRITICAL | Patched | 10.0 | 2026-05-20 | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS r… |
| CVE-2026-34234 | CRITICAL | Patched | 10.0 | 2026-05-19 | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthen… |
| CVE-2026-43633 | CRITICAL | 10.0 | 2026-05-19 | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that… | |
| CVE-2026-42822 | CRITICAL | Patched | 10.0 | 2026-05-18 | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2026-41553 | CRITICAL | Patched | 10.0 | 2026-05-15 | PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated atta… |
| CVE-2026-44523 | CRITICAL | Patched | 10.0 | 2026-05-14 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accept… |
| CVE-2026-20182 | CRITICAL | Patched | 10.0 | 2026-05-14 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This … |
| CVE-2026-44005 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox … |
| CVE-2026-44006 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulne… |
| CVE-2026-43997 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbo… |
| CVE-2026-42288 | CRITICAL | Patched | 10.0 | 2026-05-12 | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability i… |
| CVE-2026-42869 | CRITICAL | Patched | 10.0 | 2026-05-11 | SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing s… |
| CVE-2026-44643 | CRITICAL | Patched | 10.0 | 2026-05-11 | Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters… |
| CVE-2026-42298 | CRITICAL | Patched | 10.0 | 2026-05-08 | Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr… |
| CVE-2026-41070 | CRITICAL | Patched | 10.0 | 2026-05-08 | openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before versio… |
| CVE-2026-42826 | CRITICAL | 10.0 | 2026-05-07 | Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network. | |
| CVE-2026-33587 | CRITICAL | Patched | 10.0 | 2026-05-07 | Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server… |
| CVE-2026-40281 | CRITICAL | Patched | 10.0 | 2026-05-06 | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but le… |
| CVE-2026-7411 | CRITICAL | 10.0 | 2026-05-05 | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to p… | |
| CVE-2026-42369 | CRITICAL | 10.0 | 2026-05-04 | GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed local… | |
| CVE-2026-37541 | CRITICAL | 10.0 | 2026-05-01 | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, … | |
| CVE-2026-35051 | CRITICAL | Patched | 10.0 | 2026-04-30 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardA… |
| CVE-2026-39858 | CRITICAL | Patched | 10.0 | 2026-04-30 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traef… |
| CVE-2026-36767 | CRITICAL | 10.0 | 2026-04-30 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | |
| CVE-2026-33453 | CRITICAL | Patched | 10.0 | 2026-04-27 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is v… |