Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,780
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 14,461 - 14,480 of 38,432 CVEs
CVE-2022-50994 HIGH - 8.1

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized...

Vendor: DrayTek
Product: Vigor 2960
Published: May 08, 2026
Source: NVD
CVE-2026-8153 CRITICAL - 9.8

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS.

Published: May 08, 2026
Source: NVD

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could a...

Published: May 08, 2026
Source: NVD

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it...

Published: May 08, 2026
Source: NVD
CVE-2026-7650 MEDIUM - 6.4

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shor...

Published: May 08, 2026
Source: NVD
CVE-2026-7475 MEDIUM - 6.4

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`...

Published: May 08, 2026
Source: NVD

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker.

Published: May 08, 2026
Source: NVD
CVE-2026-5341 MEDIUM - 6.4

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Published: May 08, 2026
Source: NVD
CVE-2026-7330 HIGH - 7.2

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escapin...

Published: May 08, 2026
Source: NVD
CVE-2026-5127 HIGH - 8.8

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files...

Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

Vendor: uriparser
Product: uriparser
Published: May 08, 2026
Source: NVD
CVE-2026-43284 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet...

Vendor: Linux
Product: Linux
Published: May 08, 2026
Source: NVD
CVE-2013-10075 CRITICAL - 9.1

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

Vendor: CHORNY
Product: Apache::Session
Published: May 08, 2026
Source: NVD

A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2.

Published: May 08, 2026
Source: NVD

PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary...

Published: May 08, 2026
Source: NVD
CVE-2026-4935 MEDIUM - 6.5

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.

Published: May 08, 2026
Source: NVD

In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

Vendor: OpenStack
Product: Ironic
Published: May 08, 2026
Source: NVD
CVE-2025-69691 CRITICAL - 9.9

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

Vendor: pfsense
Product: pfsense
Published: May 08, 2026
Source: NVD
CVE-2025-69690 CRITICAL - 9.1

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute...

Vendor: pfsense
Product: pfsense
Published: May 08, 2026
Source: NVD