Search
585 CVEs · Critical severity
CVEs (585, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 1–25 of 585 (capped at 500)
| CVE ID | Severity | Patch | CVSS | Published ↑ | Description |
|---|---|---|---|---|---|
| CVE-2025-14179 | CRITICAL | Patched | 9.8 | 2026-05-10 | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing S… |
| CVE-2026-6722 | CRITICAL | Patched | 9.8 | 2026-05-10 | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers t… |
| CVE-2026-7261 | CRITICAL | Patched | 9.8 | 2026-05-10 | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the hand… |
| CVE-2026-6104 | CRITICAL | Patched | 9.1 | 2026-05-10 | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring fun… |
| CVE-2021-47923 | CRITICAL | 9.8 | 2026-05-10 | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers c… | |
| CVE-2021-47932 | CRITICAL | 9.8 | 2026-05-10 | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted r… | |
| CVE-2021-47933 | CRITICAL | 9.8 | 2026-05-10 | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the R… | |
| CVE-2021-47936 | CRITICAL | 9.8 | 2026-05-10 | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised… | |
| CVE-2021-47940 | CRITICAL | 9.8 | 2026-05-10 | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious file… | |
| CVE-2026-40636 | CRITICAL | Patched | 9.8 | 2026-05-11 | Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains a use of hard-coded credentials vulnerability. An unauthenticated attacke… |
| CVE-2026-42607 | CRITICAL | Patched | 9.1 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specia… |
| CVE-2026-42608 | CRITICAL | Patched | 9.1 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passe… |
| CVE-2026-42613 | CRITICAL | Patched | 9.4 | 2026-05-11 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the reg… |
| CVE-2026-44643 | CRITICAL | Patched | 10.0 | 2026-05-11 | Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters… |
| CVE-2026-7813 | CRITICAL | Patched | 9.9 | 2026-05-11 | Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetch… |
| CVE-2026-38567 | CRITICAL | 9.8 | 2026-05-11 | HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An… | |
| CVE-2026-43995 | CRITICAL | Patched | 9.8 | 2026-05-11 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP c… |
| CVE-2026-7210 | CRITICAL | Patched | 9.8 | 2026-05-11 | `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r… |
| CVE-2026-42864 | CRITICAL | Patched | 9.9 | 2026-05-11 | FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authenticat… |
| CVE-2026-42869 | CRITICAL | Patched | 10.0 | 2026-05-11 | SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing s… |
| CVE-2026-42882 | CRITICAL | Patched | 9.4 | 2026-05-11 | oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the … |
| CVE-2026-43899 | CRITICAL | Patched | 9.6 | 2026-05-11 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-5573… |
| CVE-2026-43900 | CRITICAL | Patched | 9.3 | 2026-05-11 | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability… |
| CVE-2026-45321 | CRITICAL | 9.6 | 2026-05-12 | On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authen… | |
| CVE-2026-34260 | CRITICAL | 9.6 | 2026-05-12 | SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-co… |