Search
30,918 CVEs · Critical severity
EOL hidden · Show all products
CVEs (30,918, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 1–25 of 30,918 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↑ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-40128 | CRITICAL | 9.0 | 2026-06-09 | SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters,… | |
| CVE-2026-11393 | CRITICAL | Patched | 9.0 | 2026-06-08 | Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute… |
| CVE-2026-45750 | CRITICAL | Patched | 9.0 | 2026-06-05 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolveP… |
| CVE-2026-45746 | CRITICAL | Patched | 9.0 | 2026-06-05 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Term… |
| CVE-2026-36748 | CRITICAL | 9.0 | 2026-06-03 | RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile. | |
| CVE-2026-9311 | CRITICAL | Patched | 9.0 | 2026-06-01 | IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls. |
| CVE-2026-9319 | CRITICAL | Patched | 9.0 | 2026-06-01 | IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security. |
| CVE-2026-45630 | CRITICAL | 9.0 | 2026-05-29 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoin… | |
| CVE-2026-9891 | CRITICAL | Patched | 9.0 | 2026-05-28 | Use after free in Extensions in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox es… |
| CVE-2026-9881 | CRITICAL | Patched | 9.0 | 2026-05-28 | Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform… |
| CVE-2026-46833 | CRITICAL | Patched | 9.0 | 2026-05-28 | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows un… |
| CVE-2026-4408 | CRITICAL | Patched | 9.0 | 2026-05-28 | A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" featur… |
| CVE-2026-32999 | CRITICAL | 9.0 | 2026-05-28 | Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a… | |
| CVE-2026-48150 | CRITICAL | Patched | 9.0 | 2026-05-27 | Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a build… |
| CVE-2026-45721 | CRITICAL | Patched | 9.0 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage … |
| CVE-2026-4480 | CRITICAL | Patched | 9.0 | 2026-05-26 | A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via t… |
| CVE-2026-2651 | CRITICAL | Patched | 9.0 | 2026-05-25 | A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorizat… |
| CVE-2026-22314 | CRITICAL | 9.0 | 2026-05-20 | Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on… | |
| CVE-2026-45375 | CRITICAL | Patched | 9.0 | 2026-05-14 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's pl… |
| CVE-2026-42457 | CRITICAL | Patched | 9.0 | 2026-05-14 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is… |
| CVE-2026-41901 | CRITICAL | Patched | 9.0 | 2026-05-12 | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execut… |
| CVE-2026-44221 | CRITICAL | Patched | 9.0 | 2026-05-12 | ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database … |
| CVE-2026-41588 | CRITICAL | Patched | 9.0 | 2026-05-08 | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patch… |
| CVE-2026-33844 | CRITICAL | 9.0 | 2026-05-07 | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | |
| CVE-2026-42370 | CRITICAL | Patched | 9.0 | 2026-05-04 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary cod… |