Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,904
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,881 - 13,900 of 38,923 CVEs
CVE-2026-31217 CRITICAL - 9.8

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file ...

Published: May 12, 2026
Source: NVD
CVE-2026-31216 CRITICAL - 9.1

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send craft...

Published: May 12, 2026
Source: NVD
CVE-2026-31215 CRITICAL - 9.1

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter....

Published: May 12, 2026
Source: NVD
CVE-2026-31214 CRITICAL - 9.8

The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restr...

Published: May 12, 2026
Source: NVD
CVE-2026-30810 HIGH - 8.8

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-30808 HIGH - 8.1

Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-30807 HIGH - 8.8

Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2026-30805 CRITICAL - 9.1

Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800

Vendor: Pandora FMS
Product: Pandora FMS
Published: May 12, 2026
Source: NVD
CVE-2023-30059 MEDIUM - 5.4

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request.

Published: May 12, 2026
Source: NVD
CVE-2023-27753 HIGH - 8.0

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.

Published: May 12, 2026
Source: NVD
CVE-2026-42073 MEDIUM - 6.5

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against...

Vendor: npm
Product: @gitlawb/openclaude
Published: May 12, 2026
Source: GitHub
CVE-2026-8401 CRITICAL - 9.8

Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Vendor: mozilla
Product: firefox
Published: May 12, 2026
Source: NVD
CVE-2026-8368 MEDIUM - 6.5

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent...

Published: May 12, 2026
Source: NVD
CVE-2026-8111 HIGH - 8.8

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

Vendor: ivanti
Product: endpoint_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8110 HIGH - 7.8

Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

Vendor: ivanti
Product: endpoint_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8109 MEDIUM - 6.5

An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

Vendor: ivanti
Product: endpoint_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8051 HIGH - 7.2

OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Vendor: ivanti
Product: virtual_traffic_manager
Published: May 12, 2026
Source: NVD
CVE-2026-8043 CRITICAL - 9.6

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

Vendor: ivanti
Product: xtraction
Published: May 12, 2026
Source: NVD
CVE-2026-7432 HIGH - 7.8

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

Vendor: ivanti
Product: secure_access_client
Published: May 12, 2026
Source: NVD
CVE-2026-7431 MEDIUM - 4.4

An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.

Vendor: ivanti
Product: secure_access_client
Published: May 12, 2026
Source: NVD