Search
6,811 CVEs
CVEs (6,811, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 126–150 of 6,811 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-49191 | CRITICAL | Patched | 9.8 | 2026-06-04 | The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages. |
| CVE-2026-49188 | CRITICAL | Patched | 9.8 | 2026-06-04 | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands. |
| CVE-2026-49185 | CRITICAL | Patched | 9.8 | 2026-06-04 | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. |
| CVE-2026-49186 | CRITICAL | Patched | 9.8 | 2026-06-04 | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden n… |
| CVE-2026-36576 | CRITICAL | 9.8 | 2026-06-03 | An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a c… | |
| CVE-2026-35075 | CRITICAL | Patched | 9.8 | 2026-06-03 | An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. |
| CVE-2026-47065 | CRITICAL | 9.8 | 2026-06-03 | ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains … | |
| CVE-2026-49448 | CRITICAL | Patched | 9.8 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue ha… |
| CVE-2026-5076 | CRITICAL | 9.8 | 2026-06-02 | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext c… | |
| CVE-2026-38967 | CRITICAL | 9.8 | 2026-06-02 | CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. | |
| CVE-2026-42074 | CRITICAL | Patched | 9.8 | 2026-06-02 | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exp… |
| CVE-2026-0611 | CRITICAL | Patched | 9.8 | 2026-06-02 | Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET R… |
| CVE-2026-47117 | CRITICAL | Patched | 9.8 | 2026-06-02 | OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matchin… |
| CVE-2026-7198 | CRITICAL | Patched | 9.8 | 2026-06-02 | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be… |
| CVE-2025-53209 | CRITICAL | 9.8 | 2026-06-02 | Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0. | |
| CVE-2026-8206 | CRITICAL | 9.8 | 2026-06-02 | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0… | |
| CVE-2026-25879 | CRITICAL | Patched | 9.8 | 2026-06-01 | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceabl… |
| CVE-2018-25427 | CRITICAL | 9.8 | 2026-06-01 | Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address or… | |
| CVE-2026-48879 | CRITICAL | 9.8 | 2026-06-01 | Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | |
| CVE-2026-42680 | CRITICAL | 9.8 | 2026-06-01 | Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gal… | |
| CVE-2026-7858 | CRITICAL | 9.8 | 2026-06-01 | A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CA… | |
| CVE-2026-10187 | CRITICAL | 9.8 | 2026-05-31 | A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web … | |
| CVE-2018-25412 | CRITICAL | 9.8 | 2026-05-30 | Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php … | |
| CVE-2026-45697 | CRITICAL | Patched | 9.8 | 2026-05-29 | Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Cust… |
| CVE-2026-45700 | CRITICAL | Patched | 9.8 | 2026-05-29 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar d… |