Search
31,026 CVEs · Critical severity
CVEs (31,026, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 476–500 of 31,026 (capped at 500)
| CVE ID | Severity | Patch | CVSS | Published ↓ | Description |
|---|---|---|---|---|---|
| CVE-2025-27851 | CRITICAL | 9.3 | 2026-05-13 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to … | |
| CVE-2026-44351 | CRITICAL | Patched | 9.1 | 2026-05-13 | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any … |
| CVE-2026-42032 | CRITICAL | Patched | 9.1 | 2026-05-13 | CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed at… |
| CVE-2026-42031 | CRITICAL | Patched | 9.8 | 2026-05-13 | CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed at… |
| CVE-2026-0257 | CRITICAL | Patched | 9.1 | 2026-05-13 | Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and… |
| CVE-2026-45411 | CRITICAL | Patched | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the gene… |
| CVE-2026-44009 | CRITICAL | Patched | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. |
| CVE-2026-44008 | CRITICAL | Patched | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side… |
| CVE-2026-44007 | CRITICAL | Patched | 9.1 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of th… |
| CVE-2026-44006 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulne… |
| CVE-2026-44005 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox … |
| CVE-2026-43999 | CRITICAL | Patched | 9.9 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard… |
| CVE-2026-43997 | CRITICAL | Patched | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbo… |
| CVE-2026-42557 | CRITICAL | Patched | 9.6 | 2026-05-13 | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer … |
| CVE-2026-41225 | CRITICAL | 9.1 | 2026-05-13 | A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running… | |
| CVE-2020-37168 | CRITICAL | 9.8 | 2026-05-13 | Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for paym… | |
| CVE-2026-42062 | CRITICAL | 9.8 | 2026-05-13 | ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may b… | |
| CVE-2026-40621 | CRITICAL | 9.8 | 2026-05-13 | ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication. | |
| CVE-2026-41050 | CRITICAL | 9.9 | 2026-05-13 | Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read sec… | |
| CVE-2026-32661 | CRITICAL | 9.8 | 2026-05-13 | Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially craft… | |
| CVE-2025-11159 | CRITICAL | Patched | 9.1 | 2026-05-13 | Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new conn… |
| CVE-2026-44547 | CRITICAL | Patched | 9.6 | 2026-05-12 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripp… |
| CVE-2026-42288 | CRITICAL | Patched | 10.0 | 2026-05-12 | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability i… |
| CVE-2026-41901 | CRITICAL | Patched | 9.0 | 2026-05-12 | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execut… |
| CVE-2026-44262 | CRITICAL | Patched | 9.4 | 2026-05-12 | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference… |