Search
31,034 CVEs · Critical severity
CVEs (31,034, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 101–125 of 31,034 (capped at 500)
| CVE ID | Severity ↑ | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2019-25727 | CRITICAL | 9.8 | 2026-06-04 | WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating th… | |
| CVE-2019-25729 | CRITICAL | 9.8 | 2026-06-04 | PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the… | |
| CVE-2026-4104 | CRITICAL | 9.8 | 2026-06-04 | Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection. This… | |
| CVE-2026-10840 | CRITICAL | 9.6 | 2026-06-04 | A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and ce… | |
| CVE-2026-50225 | CRITICAL | Patched | 9.1 | 2026-06-04 | The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. |
| CVE-2026-50214 | CRITICAL | Patched | 9.8 | 2026-06-04 | The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans. |
| CVE-2026-50208 | CRITICAL | Patched | 9.4 | 2026-06-04 | High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could… |
| CVE-2026-50211 | CRITICAL | Patched | 9.8 | 2026-06-04 | Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. |
| CVE-2026-49191 | CRITICAL | Patched | 9.8 | 2026-06-04 | The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages. |
| CVE-2026-49188 | CRITICAL | Patched | 9.8 | 2026-06-04 | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands. |
| CVE-2026-49185 | CRITICAL | Patched | 9.8 | 2026-06-04 | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. |
| CVE-2026-49186 | CRITICAL | Patched | 9.8 | 2026-06-04 | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden n… |
| CVE-2026-41283 | CRITICAL | 9.9 | 2026-06-04 | OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltrati… | |
| CVE-2026-46266 | CRITICAL | 9.1 | 2026-06-03 | In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having on… | |
| CVE-2026-46244 | CRITICAL | 9.1 | 2026-06-03 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv… | |
| CVE-2026-36748 | CRITICAL | 9.0 | 2026-06-03 | RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile. | |
| CVE-2026-36576 | CRITICAL | 9.8 | 2026-06-03 | An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a c… | |
| CVE-2026-5241 | CRITICAL | 9.6 | 2026-06-03 | A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code durin… | |
| CVE-2026-35075 | CRITICAL | Patched | 9.8 | 2026-06-03 | An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. |
| CVE-2026-47065 | CRITICAL | 9.8 | 2026-06-03 | ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains … | |
| CVE-2025-14771 | CRITICAL | 9.9 | 2026-06-03 | Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | |
| CVE-2026-32625 | CRITICAL | Patched | 9.6 | 2026-06-02 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resol… |
| CVE-2026-49448 | CRITICAL | Patched | 9.8 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue ha… |
| CVE-2026-42849 | CRITICAL | Patched | 9.3 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to m… |
| CVE-2026-5076 | CRITICAL | 9.8 | 2026-06-02 | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext c… |