Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
Showing 10,801 - 10,820 of 14,108 CVEs
CVE-2026-28425 HIGH - 8.0

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the appl...

Vendor: statamic
Product: cms
Published: Feb 27, 2026
Source: NVD
CVE-2026-28416 HIGH - 8.2

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application u...

Vendor: gradio-app
Product: gradio
Published: Feb 27, 2026
Source: NVD
CVE-2026-28414 HIGH - 7.5

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed t...

Vendor: gradio-app
Product: gradio
Published: Feb 27, 2026
Source: NVD
CVE-2026-28406 HIGH - 8.2

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path stays within `dest`. A...

Vendor: chainguard-forks
Product: kaniko
Published: Feb 27, 2026
Source: NVD
CVE-2026-28402 HIGH - 7.1

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.2.2, a malicious or compromised validator that is elected as proposer can publish a macro block proposal where `header.body_root` does not match the ac...

Vendor: nimiq
Product: core-rs-albatross
Published: Feb 27, 2026
Source: NVD
CVE-2026-28400 HIGH - 7.5

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama...

Vendor: docker
Product: model-runner
Published: Feb 27, 2026
Source: NVD
CVE-2026-27939 HIGH - 8.8

Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitiv...

Vendor: statamic
Product: cms
Published: Feb 27, 2026
Source: NVD
CVE-2026-28272 HIGH - 8.1

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface....

Vendor: kiteworks
Product: security-advisories
Published: Feb 27, 2026
Source: NVD
CVE-2026-27947 HIGH - 8.8

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat...

Vendor: Intermesh
Product: groupoffice
Published: Feb 27, 2026
Source: NVD
CVE-2026-27836 HIGH - 7.5

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited u...

Vendor: thorsten
Product: phpMyFAQ
Published: Feb 27, 2026
Source: NVD
CVE-2026-27832 HIGH - 8.8

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.ph...

Vendor: Intermesh
Product: groupoffice
Published: Feb 27, 2026
Source: NVD
CVE-2026-27707 HIGH - 7.3

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured...

Vendor: seerr-team
Product: seerr
Published: Feb 27, 2026
Source: NVD

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter,...

Vendor: npm
Product: @fastify/middie
Published: Feb 27, 2026
Source: NVD
CVE-2026-27757 HIGH - 7.1

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. Attackers who gain access to an authenticated session can modify credentials to maintain persistent a...

Vendor: Shenzhen Hongyavision Technology Co., Ltd. (Sodola Networks)
Product: SODOLA SL902-SWTGW124AS
Published: Feb 27, 2026
Source: NVD
CVE-2026-26862 HIGH - 8.3

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "da...

Vendor: npm
Product: clevertap-web-sdk
Published: Feb 27, 2026
Source: NVD
CVE-2026-26861 HIGH - 8.3

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed...

Vendor: npm
Product: clevertap-web-sdk
Published: Feb 27, 2026
Source: NVD
CVE-2019-25497 HIGH - 8.2

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection p...

Vendor: Oscommerce
Product: osCommerce
Published: Feb 27, 2026
Source: NVD
CVE-2019-25496 HIGH - 8.2

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection paylo...

Vendor: Oscommerce
Product: osCommerce
Published: Feb 27, 2026
Source: NVD
CVE-2019-25495 HIGH - 8.2

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL...

Vendor: Oscommerce
Product: osCommerce
Published: Feb 27, 2026
Source: NVD
CVE-2019-25494 HIGH - 8.2

Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to...

Vendor: Doditsolutions
Product: Homey BNB (Airbnb Clone Script)
Published: Feb 27, 2026
Source: NVD