Search
19,591 CVEs · High severity
CVEs (19,591, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 1–25 of 19,591 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-43984 | HIGH | 8.9 | 2026-06-04 | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest us… | |
| CVE-2026-42611 | HIGH | Patched | 8.9 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS… |
| CVE-2026-42556 | HIGH | Patched | 8.9 | 2026-05-08 | Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post co… |
| CVE-2026-5787 | HIGH | Patched | 8.9 | 2026-05-07 | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry… |
| CVE-2026-38949 | HIGH | 8.9 | 2026-04-28 | Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails … | |
| CVE-2026-5921 | HIGH | Patched | 8.9 | 2026-04-21 | A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the i… |
| CVE-2026-40487 | HIGH | 8.9 | 2026-04-18 | Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other… | |
| CVE-2025-40899 | HIGH | 8.9 | 2026-04-15 | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user wit… | |
| CVE-2026-39328 | HIGH | Patched | 8.9 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality… |
| CVE-2026-31889 | HIGH | Patched | 8.9 | 2026-03-11 | Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow at… |
| CVE-2026-30934 | HIGH | Patched | 8.9 | 2026-03-10 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, des… |
| CVE-2026-25737 | HIGH | Patched | 8.9 | 2026-03-09 | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though f… |
| CVE-2026-27169 | HIGH | Patched | 8.9 | 2026-02-21 | OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content i… |
| CVE-2026-24772 | HIGH | Patched | 8.9 | 2026-01-28 | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization serv… |
| CVE-2026-23527 | HIGH | Patched | 8.9 | 2026-01-15 | H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing… |
| CVE-2025-68920 | HIGH | Patched | 8.9 | 2025-12-24 | C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary file… |
| CVE-2025-40892 | HIGH | Patched | 8.9 | 2025-12-18 | A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report … |
| CVE-2025-68116 | HIGH | Patched | 8.9 | 2025-12-16 | FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-re… |
| CVE-2025-11956 | HIGH | Patched | 8.9 | 2025-11-06 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Co. OBS (Student Affairs Information Syste… |
| CVE-2025-60507 | HIGH | 8.9 | 2025-10-21 | Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. Th… | |
| CVE-2025-61197 | HIGH | 8.9 | 2025-10-06 | An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to esca… | |
| CVE-2025-10467 | HIGH | 8.9 | 2025-09-25 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (S… | |
| CVE-2025-9798 | HIGH | Patched | 8.9 | 2025-09-23 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Netigma allows Stored XSS. This issue aff… |
| CVE-2025-55118 | HIGH | 8.9 | 2025-09-16 | Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Age… | |
| CVE-2025-55145 | HIGH | Patched | 8.9 | 2025-09-09 | Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons fo… |