Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,741 - 13,760 of 37,697 CVEs

PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary...

Published: May 08, 2026
Source: NVD
CVE-2026-4935 MEDIUM - 6.5

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.

Published: May 08, 2026
Source: NVD

In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

Vendor: OpenStack
Product: Ironic
Published: May 08, 2026
Source: NVD
CVE-2025-69691 CRITICAL - 9.9

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

Vendor: pfsense
Product: pfsense
Published: May 08, 2026
Source: NVD
CVE-2025-69690 CRITICAL - 9.1

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute...

Vendor: pfsense
Product: pfsense
Published: May 08, 2026
Source: NVD
CVE-2025-69599 CRITICAL - 9.8

RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.

Published: May 08, 2026
Source: NVD
CVE-2025-67888 HIGH - 7.3

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated a...

Published: May 08, 2026
Source: NVD
CVE-2025-67887 CRITICAL - 9.8

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged u...

Published: May 08, 2026
Source: NVD
CVE-2025-67886 MEDIUM - 6.3

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged us...

Published: May 08, 2026
Source: NVD
CVE-2025-55449 HIGH - 7.3

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

Vendor: astrbot
Product: astrbot
Published: May 08, 2026
Source: NVD
CVE-2023-46453 CRITICAL - 9.8

Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-M...

Published: May 08, 2026
Source: NVD
CVE-2024-53326 HIGH - 7.3

LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.

Published: May 08, 2026
Source: NVD
CVE-2024-51092 CRITICAL - 9.1

LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

Vendor: librenms
Product: librenms
Published: May 08, 2026
Source: NVD
CVE-2024-46508 HIGH - 7.5

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).

Vendor: yeti-platform
Product: yeti
Published: May 08, 2026
Source: NVD
CVE-2024-46507 HIGH - 7.3

A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.

Vendor: yeti-platform
Product: yeti
Published: May 08, 2026
Source: NVD
CVE-2024-45257 HIGH - 7.3

A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.

Published: May 08, 2026
Source: NVD
CVE-2024-33724 MEDIUM - 5.4

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.

Published: May 08, 2026
Source: NVD
CVE-2024-33722 MEDIUM - 6.3

SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].

Published: May 08, 2026
Source: NVD
CVE-2024-33288 HIGH - 7.3

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.

Published: May 08, 2026
Source: NVD
CVE-2024-30167 MEDIUM - 6.3

/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.

Published: May 08, 2026
Source: NVD