Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,487
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 11,141 - 11,160 of 36,831 CVEs
CVE-2026-44447 HIGH - 8.8

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 16.9.0.

Vendor: frappe
Product: erpnext
Published: May 13, 2026
Source: NVD
CVE-2026-44446 HIGH - 8.8

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This vulnerability is fixed in 15.104.3 and 16...

Vendor: frappe
Product: erpnext
Published: May 13, 2026
Source: NVD
CVE-2026-44445 MEDIUM - 6.5

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from the local file system, including sensitive configura...

Vendor: frappe
Product: erpnext
Published: May 13, 2026
Source: NVD
CVE-2026-44442 CRITICAL - 9.9

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

Vendor: frappe
Product: erpnext
Published: May 13, 2026
Source: NVD
CVE-2026-44441 MEDIUM - 5.0

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16....

Vendor: frappe
Product: erpnext
Published: May 13, 2026
Source: NVD
CVE-2026-44440 MEDIUM - 6.5

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent attacker to read arbitrary files. This vulnera...

Vendor: frappe
Product: erpnext
Published: May 13, 2026
Source: NVD

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide...

Vendor: cvat-ai
Product: cvat
Published: May 13, 2026
Source: NVD
CVE-2026-44195 MEDIUM - 5.3

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword (...

Vendor: opnsense
Product: core
Published: May 13, 2026
Source: NVD
CVE-2026-44194 CRITICAL - 9.1

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formattin...

Vendor: opnsense
Product: core
Published: May 13, 2026
Source: NVD
CVE-2026-44193 CRITICAL - 9.1

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7.

Vendor: opnsense
Product: core
Published: May 13, 2026
Source: NVD
CVE-2026-42463 HIGH - 8.1

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoint...

Vendor: dataease
Product: SQLBot
Published: May 13, 2026
Source: NVD

Rejected reason: This CVE is a duplicate of another CVE.

Published: May 13, 2026
Source: NVD

Rejected reason: This CVE is a duplicate of another CVE.

Published: May 13, 2026
Source: NVD
CVE-2026-32993 HIGH - 8.3

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

Vendor: WebPros
Product: cPanel, WP Squared
Published: May 13, 2026
Source: NVD
CVE-2026-32992 HIGH - 8.2

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.

Vendor: WebPros
Product: cPanel, WP Squared
Published: May 13, 2026
Source: NVD
CVE-2026-29205 HIGH - 8.6

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

Vendor: WebPros
Product: cPanel, WP Squared
Published: May 13, 2026
Source: NVD

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP add...

Published: May 13, 2026
Source: NVD
CVE-2026-45714 CRITICAL - 9.1

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using th...

Vendor: cubecart
Product: v6
Published: May 13, 2026
Source: NVD
CVE-2026-45708 HIGH - 7.2

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php โ€ฆ ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print.<md5>.php. files/.htaccess ships an expl...

Vendor: cubecart
Product: v6
Published: May 13, 2026
Source: NVD
CVE-2026-45229 HIGH - 8.8

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to perm...

Vendor: Cp0204
Product: quark-auto-save
Published: May 13, 2026
Source: NVD