Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,721 - 13,740 of 37,697 CVEs
CVE-2025-69233 MEDIUM - 6.5

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructu...

Vendor: Apache Software Foundation
Product: Apache CloudStack
Published: May 08, 2026
Source: NVD
CVE-2025-66467 HIGH - 8.0

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated...

Vendor: Apache Software Foundation
Product: Apache CloudStack
Published: May 08, 2026
Source: NVD
CVE-2025-66172 MEDIUM - 6.5

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and a...

Vendor: Apache Software Foundation
Product: Apache CloudStack
Published: May 08, 2026
Source: NVD
CVE-2025-66171 MEDIUM - 6.5

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the env...

Vendor: Apache Software Foundation
Product: Apache CloudStack
Published: May 08, 2026
Source: NVD
CVE-2025-66170 MEDIUM - 6.5

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. T...

Vendor: Apache Software Foundation
Product: Apache CloudStack
Published: May 08, 2026
Source: NVD
CVE-2022-50994 HIGH - 8.1

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized...

Vendor: DrayTek
Product: Vigor 2960
Published: May 08, 2026
Source: NVD
CVE-2026-8153 CRITICAL - 9.8

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

Published: May 08, 2026
Source: NVD

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could a...

Published: May 08, 2026
Source: NVD

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it...

Published: May 08, 2026
Source: NVD
CVE-2026-7650 MEDIUM - 6.4

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shor...

Published: May 08, 2026
Source: NVD
CVE-2026-7475 MEDIUM - 6.4

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`...

Published: May 08, 2026
Source: NVD

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker.

Published: May 08, 2026
Source: NVD
CVE-2026-5341 MEDIUM - 6.4

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Published: May 08, 2026
Source: NVD
CVE-2026-7330 HIGH - 7.2

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escapin...

Published: May 08, 2026
Source: NVD
CVE-2026-5127 HIGH - 8.8

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files...

Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD
CVE-2026-43284 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2013-10075 CRITICAL - 9.1

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

Vendor: CHORNY
Product: Apache::Session
Published: May 08, 2026
Source: NVD

A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2.

Published: May 08, 2026
Source: NVD