Search
31,034 CVEs · Critical severity
CVEs (31,034, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 151–175 of 31,034 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↑ | Published | Description |
|---|---|---|---|---|---|
| CVE-2024-8017 | CRITICAL | Patched | 9.0 | 2025-03-20 | An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attack… |
| CVE-2024-7053 | CRITICAL | 9.0 | 2025-03-20 | A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users i… | |
| CVE-2025-29783 | CRITICAL | Patched | 9.0 | 2025-03-19 | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over … |
| CVE-2025-27407 | CRITICAL | 9.0 | 2025-03-12 | graphql-ruby is a Ruby implementation of GraphQL. Starting in version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a m… | |
| CVE-2025-27507 | CRITICAL | Patched | 9.0 | 2025-03-04 | The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Re… |
| CVE-2025-26206 | CRITICAL | 9.0 | 2025-03-03 | Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component | |
| CVE-2025-27590 | CRITICAL | Patched | 9.0 | 2025-03-03 | In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web. |
| CVE-2025-23115 | CRITICAL | 9.0 | 2025-03-01 | A Use After Free vulnerability on UniFi Protect Cameras could allow a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras management network. | |
| CVE-2024-52577 | CRITICAL | Patched | 9.0 | 2025-02-14 | In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited i… |
| CVE-2025-21198 | CRITICAL | Patched | 9.0 | 2025-02-11 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability |
| CVE-2024-39272 | CRITICAL | 9.0 | 2025-02-06 | A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to… | |
| CVE-2025-23114 | CRITICAL | 9.0 | 2025-02-05 | A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to proper… | |
| CVE-2024-55227 | CRITICAL | 9.0 | 2025-01-27 | A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payl… | |
| CVE-2024-55228 | CRITICAL | 9.0 | 2025-01-27 | A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload in… | |
| CVE-2024-52975 | CRITICAL | 9.0 | 2025-01-23 | An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive … | |
| CVE-2025-23061 | CRITICAL | Patched | 9.0 | 2025-01-15 | Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix f… |
| CVE-2024-54142 | CRITICAL | Patched | 9.0 | 2025-01-14 | Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities tho… |
| CVE-2024-49375 | CRITICAL | Patched | 9.0 | 2025-01-14 | Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotel… |
| CVE-2025-23025 | CRITICAL | Patched | 9.0 | 2025-01-14 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, a… |
| CVE-2024-39604 | CRITICAL | 9.0 | 2025-01-14 | A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitr… | |
| CVE-2024-39273 | CRITICAL | 9.0 | 2025-01-14 | A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmwar… | |
| CVE-2024-48886 | CRITICAL | Patched | 9.0 | 2025-01-14 | A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7… |
| CVE-2024-47572 | CRITICAL | Patched | 9.0 | 2025-01-14 | An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipula… |
| CVE-2025-0282 | CRITICAL | 9.0 | 2025-01-08 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before ver… | |
| CVE-2024-51466 | CRITICAL | Patched | 9.0 | 2024-12-20 | IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could ex… |