Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,898
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 9,681 - 9,700 of 37,677 CVEs
CVE-2026-6169 HIGH - 7.2

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval...

Published: May 27, 2026
Source: NVD
CVE-2026-49001 MEDIUM - 5.3

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.

Vendor: ZTE
Product: ZXUniPOS NDS-LTE
Published: May 27, 2026
Source: NVD
CVE-2026-41704 MEDIUM - 5.0

AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response c...

Vendor: Cloud Foundry Foundation
Product: BOSH Director
Published: May 27, 2026
Source: NVD
CVE-2026-41009 MEDIUM - 5.8

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['...

Vendor: Cloud Foundry Foundation
Product: BOSH Director
Published: May 27, 2026
Source: NVD
CVE-2026-40826 MEDIUM - 4.9

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40825 MEDIUM - 5.5

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. Thi...

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40824 MEDIUM - 5.5

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This...

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40823 MEDIUM - 5.5

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result ...

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40822 MEDIUM - 4.9

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40821 MEDIUM - 4.9

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40819 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40818 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40817 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40816 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40815 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40814 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40813 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40812 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40811 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD
CVE-2026-40810 HIGH - 7.5

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Vendor: MB connect line, Helmholz
Product: mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual
Published: May 27, 2026
Source: NVD