Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,756
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,961 - 13,980 of 37,897 CVEs
CVE-2024-27686 HIGH - 7.5

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445.

Published: May 08, 2026
Source: NVD
CVE-2023-47268 MEDIUM - 5.3

In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.

Vendor: prusa3d
Product: prusaslicer
Published: May 08, 2026
Source: NVD
CVE-2026-8148 HIGH - 7.8

NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.

Vendor: navercorp
Product: mybox
Published: May 08, 2026
Source: NVD
CVE-2026-8138 HIGH - 8.8

A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.

Vendor: tenda
Product: cx12l_firmware
Published: May 08, 2026
Source: NVD
CVE-2026-8137 HIGH - 8.8

A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclose...

Published: May 08, 2026
Source: NVD
CVE-2026-42279 MEDIUM - 5.8

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-ent...

Vendor: solidtime-io
Product: solidtime
Published: May 08, 2026
Source: NVD

UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the pr...

Vendor: UltraDAGcom
Product: core
Published: May 08, 2026
Source: NVD
CVE-2026-42277 MEDIUM - 6.5

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the ...

Vendor: onyx-dot-app
Product: onyx
Published: May 08, 2026
Source: NVD
CVE-2026-42276 MEDIUM - 4.3

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the call...

Vendor: onyx-dot-app
Product: onyx
Published: May 08, 2026
Source: NVD
CVE-2023-42346 HIGH - 7.5

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

Published: May 08, 2026
Source: NVD
CVE-2023-42345 MEDIUM - 6.1

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.

Published: May 08, 2026
Source: NVD
CVE-2023-42344 HIGH - 7.3

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

Published: May 08, 2026
Source: NVD
CVE-2023-42343 MEDIUM - 6.1

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type.

Published: May 08, 2026
Source: NVD
CVE-2022-45899 MEDIUM - 6.5

Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field.

Published: May 08, 2026
Source: NVD
CVE-2022-26523 MEDIUM - 5.3

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.

Published: May 08, 2026
Source: NVD
CVE-2022-26522 HIGH - 7.8

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.

Published: May 08, 2026
Source: NVD
CVE-2022-23961 MEDIUM - 6.1

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface.

Published: May 08, 2026
Source: NVD
CVE-2026-8136 LOW - 2.4

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may...

Published: May 08, 2026
Source: NVD
CVE-2026-8133 HIGH - 7.3

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched re...

Published: May 08, 2026
Source: NVD
CVE-2026-8132 HIGH - 7.3

A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be u...

Published: May 08, 2026
Source: NVD