Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 76–100 of 31,027 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↑ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-23873 | CRITICAL | Patched | 9.0 | 2026-01-22 | hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through … |
| CVE-2026-1181 | CRITICAL | 9.0 | 2026-01-19 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from ot… | |
| CVE-2026-1009 | CRITICAL | 9.0 | 2026-01-15 | A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker … | |
| CVE-2026-23520 | CRITICAL | Patched | 9.0 | 2026-01-15 | Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.ge… |
| CVE-2025-12548 | CRITICAL | 9.0 | 2026-01-13 | A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, et… | |
| CVE-2025-59468 | CRITICAL | Patched | 9.0 | 2026-01-08 | This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter. |
| CVE-2025-59469 | CRITICAL | Patched | 9.0 | 2026-01-08 | This vulnerability allows a Backup or Tape Operator to write files as root. |
| CVE-2025-59470 | CRITICAL | Patched | 9.0 | 2026-01-08 | This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. |
| CVE-2025-68929 | CRITICAL | Patched | 9.0 | 2025-12-29 | Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a s… |
| CVE-2025-66074 | CRITICAL | 9.0 | 2025-12-18 | Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8. | |
| CVE-2025-47372 | CRITICAL | 9.0 | 2025-12-18 | Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. | |
| CVE-2025-33210 | CRITICAL | Patched | 9.0 | 2025-12-16 | NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. |
| CVE-2025-59947 | CRITICAL | Patched | 9.0 | 2025-12-15 | NanoMQ is a messaging broker/bus for IoT Edge & SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both shared subscription and van… |
| CVE-2025-65267 | CRITICAL | 9.0 | 2025-12-03 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes wh… | |
| CVE-2025-8351 | CRITICAL | Patched | 9.0 | 2025-12-01 | Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Servi… |
| CVE-2025-3500 | CRITICAL | Patched | 9.0 | 2025-12-01 | Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3. |
| CVE-2025-63729 | CRITICAL | 9.0 | 2025-11-25 | An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Clie… | |
| CVE-2025-64325 | CRITICAL | Patched | 9.0 | 2025-11-18 | Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipula… |
| CVE-2025-9501 | CRITICAL | Patched | 9.0 | 2025-11-17 | The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP co… |
| CVE-2025-36096 | CRITICAL | 9.0 | 2025-11-13 | IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacke… | |
| CVE-2025-64338 | CRITICAL | Patched | 9.0 | 2025-11-07 | ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Nam… |
| CVE-2025-62368 | CRITICAL | Patched | 9.0 | 2025-10-28 | Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserializat… |
| CVE-2025-62023 | CRITICAL | 9.0 | 2025-10-22 | Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905. | |
| CVE-2025-42910 | CRITICAL | 9.0 | 2025-10-14 | Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could incl… | |
| CVE-2025-9976 | CRITICAL | 9.0 | 2025-10-13 | An OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x could all… |