Search
127,949 CVEs · High severity
CVEs (127,949, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 101–125 of 127,949 (capped at 500)
| CVE ID | Severity ↑ | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-26422 | HIGH | Patched | 8.4 | 2026-06-06 | clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation. |
| CVE-2026-11437 | HIGH | 7.3 | 2026-06-06 | A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. E… | |
| CVE-2026-11435 | HIGH | 7.3 | 2026-06-06 | A security vulnerability has been detected in Jinher OA 1.0. This affects an unknown function of the file nextselectplan.aspx. Such manipulation of the argument httpOID lea… | |
| CVE-2026-11413 | HIGH | 8.8 | 2026-06-06 | A security vulnerability has been detected in JingDong JD Cloud Box AX6600 4.5.3.r4546. The impacted element is the function set_macfilter of the file /sbin/jdcweb_rpc. The… | |
| CVE-2026-10725 | HIGH | 7.5 | 2026-06-06 | Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 reques… | |
| CVE-2026-9851 | HIGH | 7.2 | 2026-06-06 | The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capab… | |
| CVE-2026-7537 | HIGH | 7.2 | 2026-06-06 | The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. T… | |
| CVE-2026-8901 | HIGH | 7.2 | 2026-06-06 | The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submi… | |
| CVE-2026-8438 | HIGH | 7.2 | 2026-06-06 | The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due … | |
| CVE-2026-9290 | HIGH | 7.5 | 2026-06-06 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (pro… | |
| CVE-2026-7654 | HIGH | 8.8 | 2026-06-05 | The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use… | |
| CVE-2026-11416 | HIGH | 8.1 | 2026-06-05 | MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concat… | |
| CVE-2026-36785 | HIGH | 7.5 | 2026-06-05 | Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the page parameter of the fromDhcpListClient function. This vulnerabil… | |
| CVE-2026-11422 | HIGH | 7.1 | 2026-06-05 | Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arb… | |
| CVE-2026-46493 | HIGH | 7.5 | 2026-06-05 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes t… | |
| CVE-2026-45300 | HIGH | Patched | 7.4 | 2026-06-05 | The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.… |
| CVE-2026-11400 | HIGH | Patched | 8.0 | 2026-06-05 | An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege act… |
| CVE-2026-11401 | HIGH | Patched | 8.0 | 2026-06-05 | An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor… |
| CVE-2026-5415 | HIGH | 8.8 | 2026-06-05 | The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all… | |
| CVE-2026-5411 | HIGH | 8.8 | 2026-06-05 | The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all… | |
| CVE-2026-46392 | HIGH | 8.7 | 2026-06-05 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insens… | |
| CVE-2026-50733 | HIGH | Patched | 8.8 | 2026-06-05 | Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw aff… |
| CVE-2026-49492 | HIGH | Patched | 8.8 | 2026-06-05 | Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown docum… |
| CVE-2026-49493 | HIGH | Patched | 8.8 | 2026-06-05 | Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing … |
| CVE-2026-45749 | HIGH | Patched | 8.1 | 2026-06-05 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-co… |