Search
6,811 CVEs
CVEs (6,811, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 76–100 of 6,811 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-42748 | CRITICAL | 9.9 | 2026-05-27 | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czec… | |
| CVE-2026-44450 | CRITICAL | Patched | 9.9 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forw… |
| CVE-2026-46624 | CRITICAL | Patched | 9.9 | 2026-05-26 | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQ… |
| CVE-2026-7374 | CRITICAL | 9.9 | 2026-05-26 | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit impr… | |
| CVE-2026-40411 | CRITICAL | 9.9 | 2026-05-22 | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | |
| CVE-2026-44050 | CRITICAL | 9.9 | 2026-05-21 | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with es… | |
| CVE-2026-33642 | CRITICAL | Patched | 9.9 | 2026-05-19 | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composit… |
| CVE-2026-27130 | CRITICAL | Patched | 9.9 | 2026-05-18 | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause thi… |
| CVE-2026-44774 | CRITICAL | Patched | 9.9 | 2026-05-15 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation p… |
| CVE-2026-44442 | CRITICAL | Patched | 9.9 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to mod… |
| CVE-2026-43999 | CRITICAL | Patched | 9.9 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard… |
| CVE-2026-41050 | CRITICAL | 9.9 | 2026-05-13 | Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read sec… | |
| CVE-2026-43948 | CRITICAL | Patched | 9.9 | 2026-05-12 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization… |
| CVE-2026-42196 | NONE | Patched | — | 2026-05-12 | django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attac… |
| CVE-2026-42898 | CRITICAL | Patched | 9.9 | 2026-05-12 | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. |
| CVE-2026-42823 | CRITICAL | 9.9 | 2026-05-12 | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-42864 | CRITICAL | Patched | 9.9 | 2026-05-11 | FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authenticat… |
| CVE-2026-7813 | CRITICAL | Patched | 9.9 | 2026-05-11 | Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetch… |
| CVE-2026-52778 | CRITICAL | 9.8 | 2026-06-08 | YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The… | |
| CVE-2026-39910 | CRITICAL | 9.8 | 2026-06-08 | STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compro… | |
| CVE-2026-25555 | CRITICAL | 9.8 | 2026-06-08 | OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain adm… | |
| CVE-2026-44631 | CRITICAL | Patched | 9.8 | 2026-06-08 | Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67… |
| CVE-2026-11499 | CRITICAL | 9.8 | 2026-06-08 | A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulat… | |
| CVE-2023-54352 | CRITICAL | 9.8 | 2026-06-08 | WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the th… | |
| CVE-2024-58348 | CRITICAL | 9.8 | 2026-06-08 | WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing t… |