Search
127 CVEs · Critical severity
CVEs (127)
Showing 1–25 of 127
| CVE ID ↓ | Severity | Patch | CVSS | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-9270 | CRITICAL | 9.1 | 2026-06-05 | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from unt… | |
| CVE-2026-8206 | CRITICAL | 9.8 | 2026-06-02 | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0… | |
| CVE-2026-8037 | CRITICAL | 9.6 | 2026-06-04 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster… | |
| CVE-2026-7763 | CRITICAL | 9.8 | 2026-06-05 | A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated… | |
| CVE-2026-7762 | CRITICAL | 9.8 | 2026-06-05 | A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticat… | |
| CVE-2026-7312 | CRITICAL | Patched | 10.0 | 2026-06-02 | CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.… |
| CVE-2026-7198 | CRITICAL | Patched | 9.8 | 2026-06-02 | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be… |
| CVE-2026-6274 | CRITICAL | Patched | 9.8 | 2026-06-05 | Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allow… |
| CVE-2026-52778 | CRITICAL | 9.8 | 2026-06-08 | YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The… | |
| CVE-2026-5241 | CRITICAL | 9.6 | 2026-06-03 | A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code durin… | |
| CVE-2026-5076 | CRITICAL | 9.8 | 2026-06-02 | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext c… | |
| CVE-2026-50751 | CRITICAL | 9.3 | 2026-06-08 | A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user au… | |
| CVE-2026-50225 | CRITICAL | Patched | 9.1 | 2026-06-04 | The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. |
| CVE-2026-50214 | CRITICAL | Patched | 9.8 | 2026-06-04 | The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans. |
| CVE-2026-50211 | CRITICAL | Patched | 9.8 | 2026-06-04 | Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. |
| CVE-2026-50208 | CRITICAL | Patched | 9.4 | 2026-06-04 | High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could… |
| CVE-2026-50076 | CRITICAL | Patched | 9.1 | 2026-06-04 | Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass c… |
| CVE-2026-49777 | CRITICAL | Patched | 10.0 | 2026-06-05 | Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue af… |
| CVE-2026-49448 | CRITICAL | Patched | 9.8 | 2026-06-02 | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue ha… |
| CVE-2026-49191 | CRITICAL | Patched | 9.8 | 2026-06-04 | The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages. |
| CVE-2026-49188 | CRITICAL | Patched | 9.8 | 2026-06-04 | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands. |
| CVE-2026-49186 | CRITICAL | Patched | 9.8 | 2026-06-04 | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden n… |
| CVE-2026-49185 | CRITICAL | Patched | 9.8 | 2026-06-04 | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. |
| CVE-2026-48579 | CRITICAL | 9.1 | 2026-06-04 | Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network. | |
| CVE-2026-48567 | CRITICAL | 10.0 | 2026-06-04 | Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network. |