Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 12,901 - 12,920 of 37,942 CVEs
CVE-2026-31216 CRITICAL - 9.1

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send craft...

Published: May 12, 2026
Source: NVD
CVE-2026-31215 CRITICAL - 9.1

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter....

Published: May 12, 2026
Source: NVD
CVE-2026-31214 CRITICAL - 9.8

The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restr...

Published: May 12, 2026
Source: NVD
CVE-2026-30810 HIGH - 8.8

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-30808 HIGH - 8.1

Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-30807 HIGH - 8.8

Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-30805 CRITICAL - 9.1

Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2023-30059 MEDIUM - 5.4

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request.

Published: May 12, 2026
Source: NVD
CVE-2023-27753 HIGH - 8.0

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.

Published: May 12, 2026
Source: NVD
CVE-2026-42073 MEDIUM - 6.5

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against...

Vendor: npm
Product: @gitlawb/openclaude
Published: May 12, 2026
Source: GitHub
CVE-2026-8401 CRITICAL - 9.8

Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Vendor: mozilla
Product: firefox
Published: May 12, 2026
Source: NVD
CVE-2026-8368 MEDIUM - 6.5

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent...

Published: May 12, 2026
Source: NVD
CVE-2026-8111 HIGH - 8.8

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

Vendor: ivanti
Product: endpoint_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8110 HIGH - 7.8

Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

Vendor: ivanti
Product: endpoint_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8109 MEDIUM - 6.5

An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

Vendor: ivanti
Product: endpoint_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8051 HIGH - 7.2

OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Vendor: ivanti
Product: virtual_traffic_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8043 CRITICAL - 9.6

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

Vendor: ivanti
Product: xtraction
Published: May 12, 2026
Source: NVD
CVE-2026-7432 HIGH - 7.8

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

Vendor: ivanti
Product: secure_access_client
Published: May 12, 2026
Source: NVD
CVE-2026-7431 MEDIUM - 4.4

An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.

Vendor: ivanti
Product: secure_access_client
Published: May 12, 2026
Source: NVD

CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.

Published: May 12, 2026
Source: NVD