Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,618
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,981 - 14,000 of 37,942 CVEs

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD
CVE-2026-43284 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2013-10075 CRITICAL - 9.1

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

Vendor: CHORNY
Product: Apache::Session
Published: May 08, 2026
Source: NVD

A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2.

Published: May 08, 2026
Source: NVD

PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary...

Published: May 08, 2026
Source: NVD
CVE-2026-4935 MEDIUM - 6.5

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.

Published: May 08, 2026
Source: NVD

In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

Vendor: OpenStack
Product: Ironic
Published: May 08, 2026
Source: NVD
CVE-2025-69691 CRITICAL - 9.9

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

Vendor: pfsense
Product: pfsense
Published: May 08, 2026
Source: NVD
CVE-2025-69690 CRITICAL - 9.1

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute...

Vendor: pfsense
Product: pfsense
Published: May 08, 2026
Source: NVD
CVE-2025-69599 CRITICAL - 9.8

RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.

Published: May 08, 2026
Source: NVD
CVE-2025-67888 HIGH - 7.3

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated a...

Published: May 08, 2026
Source: NVD
CVE-2025-67887 CRITICAL - 9.8

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged u...

Published: May 08, 2026
Source: NVD
CVE-2025-67886 MEDIUM - 6.3

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged us...

Published: May 08, 2026
Source: NVD
CVE-2025-55449 HIGH - 7.3

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

Vendor: astrbot
Product: astrbot
Published: May 08, 2026
Source: NVD
CVE-2023-46453 CRITICAL - 9.8

Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-M...

Published: May 08, 2026
Source: NVD
CVE-2024-53326 HIGH - 7.3

LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.

Published: May 08, 2026
Source: NVD
CVE-2024-51092 CRITICAL - 9.1

LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

Vendor: librenms
Product: librenms
Published: May 08, 2026
Source: NVD
CVE-2024-46508 HIGH - 7.5

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).

Vendor: yeti-platform
Product: yeti
Published: May 08, 2026
Source: NVD
CVE-2024-46507 HIGH - 7.3

A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.

Vendor: yeti-platform
Product: yeti
Published: May 08, 2026
Source: NVD