Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 476–500 of 31,027 (capped at 500)
| CVE ID ↓ | Severity | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-44050 | CRITICAL | 9.9 | 2026-05-21 | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with es… | |
| CVE-2026-4404 | CRITICAL | 9.4 | 2026-03-23 | Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. | |
| CVE-2026-44009 | CRITICAL | Patched | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. |
| CVE-2026-44008 | CRITICAL | Patched | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side… |
| CVE-2026-44007 | CRITICAL | Patched | 9.1 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of th… |
| CVE-2026-44006 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulne… |
| CVE-2026-44005 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox … |
| CVE-2026-43999 | CRITICAL | Patched | 9.9 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard… |
| CVE-2026-43997 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbo… |
| CVE-2026-43995 | CRITICAL | Patched | 9.8 | 2026-05-11 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP c… |
| CVE-2026-43992 | CRITICAL | Patched | 9.8 | 2026-05-12 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm,… |
| CVE-2026-43986 | CRITICAL | 9.9 | 2026-06-04 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/<hash>` route that resolves attacker-control… | |
| CVE-2026-4395 | CRITICAL | Patched | 9.8 | 2026-03-19 | Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bo… |
| CVE-2026-43948 | CRITICAL | Patched | 9.9 | 2026-05-12 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization… |
| CVE-2026-43944 | CRITICAL | Patched | 9.6 | 2026-05-08 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local co… |
| CVE-2026-43941 | CRITICAL | Patched | 9.6 | 2026-05-08 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL… |
| CVE-2026-43900 | CRITICAL | Patched | 9.3 | 2026-05-11 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability… |
| CVE-2026-43899 | CRITICAL | Patched | 9.6 | 2026-05-11 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-5573… |
| CVE-2026-43898 | CRITICAL | Patched | 10.0 | 2026-05-28 | SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Cal… |
| CVE-2026-4374 | CRITICAL | Patched | 9.1 | 2026-04-01 | Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,… |
| CVE-2026-4370 | CRITICAL | Patched | 10.0 | 2026-04-01 | A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper … |
| CVE-2026-4365 | CRITICAL | 9.1 | 2026-04-14 | The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions… | |
| CVE-2026-43633 | CRITICAL | 10.0 | 2026-05-19 | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that… | |
| CVE-2026-43581 | CRITICAL | Patched | 9.6 | 2026-05-06 | OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers ca… |
| CVE-2026-43578 | CRITICAL | Patched | 9.1 | 2026-05-06 | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec compl… |