Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,863
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 9,981 - 10,000 of 37,677 CVEs
CVE-2026-48683 MEDIUM - 6.5

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template branch (lines 1695-1702) iterates over flow records without performing a per-iteration bounds check agai...

Published: May 26, 2026
Source: NVD
CVE-2026-46620 MEDIUM - 6.5

e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validat...

Vendor: e107inc
Product: e107
Published: May 26, 2026
Source: NVD
CVE-2026-43936 MEDIUM - 4.3

e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed ...

Vendor: e107inc
Product: e107
Published: May 26, 2026
Source: NVD
CVE-2026-43935 HIGH - 8.1

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or...

Vendor: e107inc
Product: e107
Published: May 26, 2026
Source: NVD
CVE-2026-43934 MEDIUM - 6.5

e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends o...

Vendor: e107inc
Product: e107
Published: May 26, 2026
Source: NVD
CVE-2026-40564 MEDIUM - 6.5

Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.  This lets a user with CR create permissions read file...

Vendor: Apache Software Foundation
Product: Apache Flink Kubernetes Operator
Published: May 26, 2026
Source: NVD
CVE-2026-38587 MEDIUM - 4.3

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique i...

Published: May 26, 2026
Source: NVD
CVE-2026-25112 HIGH - 7.8

A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack.

Vendor: Genetec Inc.
Product: Genetec RabbitMQ, Genetec Mission Control, Genetec Sipelia, Genetec Industrial IoT, Genetec Airport Operational Manager, Genetec Restricted Security Area, Genetec Inter-System Gateway
Published: May 26, 2026
Source: NVD
CVE-2026-9552 HIGH - 7.3

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been releas...

Published: May 26, 2026
Source: NVD
CVE-2026-9551 HIGH - 7.3

A vulnerability was identified in Das Parking Management System 停车场管理系统 6.2.0. This affects the function xp_cmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. The manipulation of the argument Value leads to sql injection. It is possible to initiate the attack remo...

Published: May 26, 2026
Source: NVD
CVE-2026-9550 HIGH - 7.3

A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal. Th...

Published: May 26, 2026
Source: NVD
CVE-2026-4480 HIGH - 8.5

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this ...

Vendor: redhat
Product: openshift_container_platform
Published: May 26, 2026
Source: NVD
CVE-2026-46368 HIGH - 8.8

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holdi...

Vendor: mossdef-org
Product: luci-app-https-dns-proxy
Published: May 26, 2026
Source: NVD
CVE-2026-45247 CRITICAL - 9.8

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted cal...

Vendor: Mirasvit
Product: Full Page Cache Warmer for Magento 2
Published: May 26, 2026
Source: NVD
CVE-2026-45082 HIGH - 7.6

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery (SSRF) protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward ...

Vendor: karakeep-app
Product: karakeep
Published: May 26, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-43918. Reason: This candidate is a duplicate of CVE-2026-43918. Notes: All CVE users should reference CVE-2026-43918 instead of this candidate.

Published: May 26, 2026
Source: NVD
CVE-2026-42785 HIGH - 7.2

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands i...

Vendor: Openkm
Product: OpenKM Community Edition, OpenKM Professional Edition
Published: May 26, 2026
Source: NVD
CVE-2026-42425 HIGH - 7.2

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/Da...

Vendor: Openkm
Product: OpenKM Community Edition, OpenKM Professional Edition
Published: May 26, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-28496. Reason: This candidate is a duplicate of CVE-2026-28496. Notes: All CVE users should reference CVE-2026-28496 instead of this candidate.

Published: May 26, 2026
Source: NVD
CVE-2026-41917 MEDIUM - 4.9

OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can ...

Vendor: Openkm
Product: OpenKM Community Edition, OpenKM Professional Edition
Published: May 26, 2026
Source: NVD