Search
31,034 CVEs · Critical severity
CVEs (31,034, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 151–175 of 31,034 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2025-68271 | CRITICAL | Patched | 10.0 | 2026-01-13 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a criti… |
| CVE-2026-0881 | CRITICAL | Patched | 10.0 | 2026-01-13 | Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147. |
| CVE-2025-40805 | CRITICAL | 10.0 | 2026-01-13 | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authenticatio… | |
| CVE-2025-63314 | CRITICAL | 10.0 | 2026-01-12 | A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a ful… | |
| CVE-2025-52694 | CRITICAL | Patched | 10.0 | 2026-01-12 | Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when i… |
| CVE-2025-65091 | CRITICAL | Patched | 10.0 | 2026-01-10 | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including gues… |
| CVE-2025-64090 | CRITICAL | Patched | 10.0 | 2026-01-09 | This vulnerability allows authenticated attackers to execute commands via the hostname of the device. |
| CVE-2025-64093 | CRITICAL | Patched | 10.0 | 2026-01-09 | Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. |
| CVE-2025-70974 | CRITICAL | Patched | 10.0 | 2026-01-09 | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to ce… |
| CVE-2026-21858 | CRITICAL | Patched | 10.0 | 2026-01-08 | n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through exec… |
| CVE-2025-61492 | CRITICAL | 10.0 | 2026-01-07 | A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. | |
| CVE-2024-58338 | CRITICAL | 10.0 | 2025-12-30 | Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attacker… | |
| CVE-2025-52691 | CRITICAL | Patched | 10.0 | 2025-12-29 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remo… |
| CVE-2025-54322 | CRITICAL | Patched | 10.0 | 2025-12-27 | Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used. |
| CVE-2025-14931 | CRITICAL | 10.0 | 2025-12-23 | Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute … | |
| CVE-2024-57521 | CRITICAL | Patched | 10.0 | 2025-12-23 | SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. |
| CVE-2025-67109 | CRITICAL | Patched | 10.0 | 2025-12-23 | Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. |
| CVE-2025-67108 | CRITICAL | 10.0 | 2025-12-23 | eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections. | |
| CVE-2025-67288 | CRITICAL | 10.0 | 2025-12-22 | An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supp… | |
| CVE-2025-65037 | CRITICAL | 10.0 | 2025-12-18 | Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network. | |
| CVE-2025-65041 | CRITICAL | 10.0 | 2025-12-18 | Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2025-62521 | CRITICAL | Patched | 10.0 | 2025-12-17 | ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows u… |
| CVE-2025-20393 | CRITICAL | Patched | 10.0 | 2025-12-17 | A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticate… |
| CVE-2025-44005 | CRITICAL | 10.0 | 2025-12-17 | An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks. | |
| CVE-2025-63414 | CRITICAL | 10.0 | 2025-12-16 | A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a cra… |