Search
18,985 CVEs
CVEs (18,985, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 126–150 of 18,985 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-45312 | CRITICAL | 9.9 | 2026-05-29 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py)… | |
| CVE-2026-9559 | CRITICAL | 9.9 | 2026-05-29 | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic… | |
| CVE-2026-9558 | CRITICAL | 9.9 | 2026-05-29 | A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function res… | |
| CVE-2026-44881 | CRITICAL | Patched | 9.9 | 2026-05-28 | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environme… |
| CVE-2026-9645 | CRITICAL | 9.9 | 2026-05-28 | Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system comp… | |
| CVE-2026-46839 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privilege… |
| CVE-2026-46822 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily ex… |
| CVE-2026-46824 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affec… |
| CVE-2026-46775 | CRITICAL | Patched | 9.9 | 2026-05-28 | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privilege… |
| CVE-2026-44477 | CRITICAL | Patched | 9.9 | 2026-05-28 | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its… |
| CVE-2026-9813 | CRITICAL | Patched | 9.9 | 2026-05-28 | FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker… |
| CVE-2026-45102 | CRITICAL | Patched | 9.9 | 2026-05-27 | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not desig… |
| CVE-2026-46425 | CRITICAL | Patched | 9.9 | 2026-05-27 | Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (… |
| CVE-2026-42756 | CRITICAL | 9.9 | 2026-05-27 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP |… | |
| CVE-2026-42757 | CRITICAL | 9.9 | 2026-05-27 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traver… | |
| CVE-2026-42748 | CRITICAL | 9.9 | 2026-05-27 | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czec… | |
| CVE-2026-44450 | CRITICAL | Patched | 9.9 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forw… |
| CVE-2026-46624 | CRITICAL | Patched | 9.9 | 2026-05-26 | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQ… |
| CVE-2026-7374 | CRITICAL | 9.9 | 2026-05-26 | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit impr… | |
| CVE-2026-40411 | CRITICAL | 9.9 | 2026-05-22 | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | |
| CVE-2026-44050 | CRITICAL | 9.9 | 2026-05-21 | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with es… | |
| CVE-2026-33642 | CRITICAL | Patched | 9.9 | 2026-05-19 | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composit… |
| CVE-2026-27130 | CRITICAL | Patched | 9.9 | 2026-05-18 | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause thi… |
| CVE-2026-44774 | CRITICAL | Patched | 9.9 | 2026-05-15 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation p… |
| CVE-2026-44442 | CRITICAL | Patched | 9.9 | 2026-05-13 | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to mod… |