Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 126–150 of 31,027 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-25641 | CRITICAL | Patched | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performe… |
| CVE-2026-25520 | CRITICAL | Patched | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array conta… |
| CVE-2026-25586 | CRITICAL | Patched | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitel… |
| CVE-2026-25587 | CRITICAL | Patched | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.h… |
| CVE-2026-25725 | CRITICAL | Patched | 10.0 | 2026-02-06 | Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configurat… |
| CVE-2025-68121 | CRITICAL | Patched | 10.0 | 2026-02-05 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the r… |
| CVE-2025-59818 | CRITICAL | Patched | 10.0 | 2026-02-04 | This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. |
| CVE-2026-1633 | CRITICAL | 10.0 | 2026-02-04 | The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify … | |
| CVE-2025-10878 | CRITICAL | Patched | 10.0 | 2026-02-03 | A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to … |
| CVE-2025-70841 | CRITICAL | 10.0 | 2026-02-03 | Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /s… | |
| CVE-2026-25142 | CRITICAL | Patched | 10.0 | 2026-02-02 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be use… |
| CVE-2026-1699 | CRITICAL | Patched | 10.0 | 2026-01-30 | In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrust… |
| CVE-2026-24054 | CRITICAL | Patched | 10.0 | 2026-01-29 | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.2… |
| CVE-2026-24897 | CRITICAL | Patched | 10.0 | 2026-01-28 | Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified locat… |
| CVE-2025-57792 | CRITICAL | Patched | 10.0 | 2026-01-28 | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker ca… |
| CVE-2026-23830 | CRITICAL | Patched | 10.0 | 2026-01-28 | SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. T… |
| CVE-2025-4320 | CRITICAL | 10.0 | 2026-01-23 | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam a… | |
| CVE-2025-69828 | CRITICAL | 10.0 | 2026-01-22 | File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Cu… | |
| CVE-2025-68001 | CRITICAL | 10.0 | 2026-01-22 | Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL C… | |
| CVE-2025-50002 | CRITICAL | 10.0 | 2026-01-22 | Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a throu… | |
| CVE-2026-21962 | CRITICAL | 10.0 | 2026-01-20 | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP … | |
| CVE-2026-21636 | CRITICAL | Patched | 10.0 | 2026-01-20 | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, … |
| CVE-2026-23800 | CRITICAL | Patched | 10.0 | 2026-01-16 | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. |
| CVE-2025-61937 | CRITICAL | Patched | 10.0 | 2026-01-16 | The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially res… |
| CVE-2026-22686 | CRITICAL | Patched | 10.0 | 2026-01-14 | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows… |