Search
59,256 CVEs
CVEs (59,256, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 176–200 of 59,256 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2025-68001 | CRITICAL | 10.0 | 2026-01-22 | Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL C… | |
| CVE-2025-50002 | CRITICAL | 10.0 | 2026-01-22 | Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a throu… | |
| CVE-2026-21962 | CRITICAL | 10.0 | 2026-01-20 | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP … | |
| CVE-2026-21636 | CRITICAL | Patched | 10.0 | 2026-01-20 | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, … |
| CVE-2026-23800 | CRITICAL | Patched | 10.0 | 2026-01-16 | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. |
| CVE-2025-61937 | CRITICAL | Patched | 10.0 | 2026-01-16 | The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially res… |
| CVE-2026-22686 | CRITICAL | Patched | 10.0 | 2026-01-14 | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows… |
| CVE-2025-68271 | CRITICAL | Patched | 10.0 | 2026-01-13 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a criti… |
| CVE-2026-0881 | CRITICAL | Patched | 10.0 | 2026-01-13 | Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147. |
| CVE-2025-40805 | CRITICAL | 10.0 | 2026-01-13 | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authenticatio… | |
| CVE-2025-63314 | CRITICAL | 10.0 | 2026-01-12 | A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a ful… | |
| CVE-2025-52694 | CRITICAL | Patched | 10.0 | 2026-01-12 | Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when i… |
| CVE-2025-65091 | CRITICAL | Patched | 10.0 | 2026-01-10 | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including gues… |
| CVE-2025-69425 | NONE | — | 2026-01-09 | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to … | |
| CVE-2025-69426 | NONE | — | 2026-01-09 | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. … | |
| CVE-2025-64090 | CRITICAL | Patched | 10.0 | 2026-01-09 | This vulnerability allows authenticated attackers to execute commands via the hostname of the device. |
| CVE-2025-64093 | CRITICAL | Patched | 10.0 | 2026-01-09 | Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. |
| CVE-2025-70974 | CRITICAL | Patched | 10.0 | 2026-01-09 | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to ce… |
| CVE-2026-21858 | CRITICAL | Patched | 10.0 | 2026-01-08 | n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through exec… |
| CVE-2025-61492 | CRITICAL | 10.0 | 2026-01-07 | A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. | |
| CVE-2024-58338 | CRITICAL | 10.0 | 2025-12-30 | Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attacker… | |
| CVE-2025-52691 | CRITICAL | Patched | 10.0 | 2025-12-29 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remo… |
| CVE-2025-54322 | CRITICAL | Patched | 10.0 | 2025-12-27 | Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used. |
| CVE-2025-14931 | CRITICAL | 10.0 | 2025-12-23 | Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute … | |
| CVE-2024-57521 | CRITICAL | Patched | 10.0 | 2025-12-23 | SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. |