Search
31,027 CVEs · Critical severity
CVEs (31,027, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 151–175 of 31,027 (capped at 500)
| CVE ID | Severity ↓ | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-9051 | CRITICAL | 9.1 | 2026-05-29 | There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentica… | |
| CVE-2026-47744 | CRITICAL | Patched | 9.9 | 2026-05-29 | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the … |
| CVE-2026-44649 | CRITICAL | Patched | 9.8 | 2026-05-29 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voi… |
| CVE-2026-44650 | CRITICAL | Patched | 9.1 | 2026-05-29 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voi… |
| CVE-2026-7786 | CRITICAL | 9.8 | 2026-05-29 | Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmwar… | |
| CVE-2026-5386 | CRITICAL | 9.1 | 2026-05-29 | The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator passwor… | |
| CVE-2026-45630 | CRITICAL | 9.0 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoin… | |
| CVE-2026-45631 | CRITICAL | Patched | 10.0 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets a… |
| CVE-2026-45632 | CRITICAL | 9.9 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authen… | |
| CVE-2026-45633 | CRITICAL | 9.9 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSo… | |
| CVE-2026-45661 | CRITICAL | 9.9 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenti… | |
| CVE-2026-45625 | CRITICAL | Patched | 9.9 | 2026-05-29 | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/custom… |
| CVE-2026-45628 | CRITICAL | 9.6 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them… | |
| CVE-2026-45629 | CRITICAL | 9.9 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows… | |
| CVE-2026-45663 | CRITICAL | 9.9 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When… | |
| CVE-2026-44962 | CRITICAL | 9.9 | 2026-05-29 | Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without pr… | |
| CVE-2026-4290 | CRITICAL | 9.1 | 2026-05-29 | The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to… | |
| CVE-2026-10042 | CRITICAL | 9.8 | 2026-05-29 | manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py m… | |
| CVE-2026-46376 | CRITICAL | Patched | 9.8 | 2026-05-29 | FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initi… |
| CVE-2026-10071 | CRITICAL | 9.8 | 2026-05-29 | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby e… | |
| CVE-2026-45312 | CRITICAL | 9.9 | 2026-05-29 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py)… | |
| CVE-2026-9559 | CRITICAL | 9.9 | 2026-05-29 | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic… | |
| CVE-2025-41276 | CRITICAL | Patched | 9.8 | 2026-05-29 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-50… |
| CVE-2025-41277 | CRITICAL | Patched | 9.8 | 2026-05-29 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-50… |
| CVE-2025-41268 | CRITICAL | Patched | 9.1 | 2026-05-29 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows… |