Search
18,985 CVEs
CVEs (18,985, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 76–100 of 18,985 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-34078 | CRITICAL | Patched | 10.0 | 2026-04-07 | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-contr… |
| CVE-2026-39337 | CRITICAL | Patched | 10.0 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows una… |
| CVE-2025-54328 | CRITICAL | 10.0 | 2026-04-06 | An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, … | |
| CVE-2026-34976 | CRITICAL | Patched | 10.0 | 2026-04-06 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), mak… |
| CVE-2026-34444 | CRITICAL | Patched | 10.0 | 2026-04-06 | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in … |
| CVE-2026-34208 | CRITICAL | Patched | 10.0 | 2026-04-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can… |
| CVE-2026-34938 | CRITICAL | Patched | 10.0 | 2026-04-03 | PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can b… |
| CVE-2026-32186 | CRITICAL | 10.0 | 2026-04-03 | Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-33105 | CRITICAL | 10.0 | 2026-04-03 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-33107 | CRITICAL | 10.0 | 2026-04-03 | Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-32213 | CRITICAL | 10.0 | 2026-04-03 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2026-32871 | CRITICAL | Patched | 10.0 | 2026-04-02 | FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI s… |
| CVE-2026-4370 | CRITICAL | Patched | 10.0 | 2026-04-01 | A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper … |
| CVE-2026-34162 | CRITICAL | Patched | 10.0 | 2026-03-31 | FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authen… |
| CVE-2026-28505 | CRITICAL | Patched | 10.0 | 2026-03-30 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sand… |
| CVE-2025-15036 | CRITICAL | Patched | 10.0 | 2026-03-30 | A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. … |
| CVE-2026-30302 | CRITICAL | Patched | 10.0 | 2026-03-27 | The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability… |
| CVE-2026-33494 | CRITICAL | Patched | 10.0 | 2026-03-26 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are… |
| CVE-2026-4725 | CRITICAL | Patched | 10.0 | 2026-03-24 | Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. |
| CVE-2026-4692 | CRITICAL | Patched | 10.0 | 2026-03-24 | Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. |
| CVE-2026-4688 | CRITICAL | Patched | 10.0 | 2026-03-24 | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbi… |
| CVE-2026-4689 | CRITICAL | Patched | 10.0 | 2026-03-24 | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 1… |
| CVE-2026-4745 | NONE | — | 2026-03-24 | Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program f… | |
| CVE-2026-4746 | NONE | Patched | — | 2026-03-24 | Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is associated with program files inflate.C. This issue affe… |
| CVE-2026-33478 | CRITICAL | Patched | 10.0 | 2026-03-23 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a complete… |