Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,521 - 15,540 of 38,432 CVEs
CVE-2023-54344 CRITICAL - 9.8

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork...

Vendor: equinox
Product: [OSGi
Published: May 05, 2026
Source: NVD
CVE-2023-54342 CRITICAL - 9.8

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform...

Vendor: equinox
Product: [OSGi
Published: May 05, 2026
Source: NVD
CVE-2026-6322 HIGH - 7.5

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator,...

Vendor: npm
Product: fast-uri
Published: May 05, 2026
Source: NVD
CVE-2025-42611 MEDIUM - 6.5

RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses ...

Vendor: Mikrotik
Product: RouterOS
Published: May 05, 2026
Source: NVD
CVE-2026-43870 HIGH - 7.3

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue af...

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD
CVE-2026-43868 MEDIUM - 5.3

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD
CVE-2026-3601 MEDIUM - 4.3

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-lev...

Published: May 05, 2026
Source: NVD
CVE-2026-3359 HIGH - 7.5

The Form Maker by 10Web โ€“ Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara...

Published: May 05, 2026
Source: NVD
CVE-2026-43869 HIGH - 7.3

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD

An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive...

Published: May 05, 2026
Source: NVD
CVE-2026-6418 MEDIUM - 4.9

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with ad...

Vendor: papercut
Product: papercut_mf
Published: May 05, 2026
Source: NVD
CVE-2026-6180 HIGH - 8.1

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification f...

Vendor: papercut
Product: papercut_mf
Published: May 05, 2026
Source: NVD
CVE-2026-5192 HIGH - 7.5

The Forminator Forms โ€“ Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents...

Published: May 05, 2026
Source: NVD
CVE-2026-40797 CRITICAL - 9.3

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253.

Vendor: Saleswonder LLC
Product: WebinarIgnition
Published: May 05, 2026
Source: NVD
CVE-2026-3454 MEDIUM - 6.5

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that th...

Published: May 05, 2026
Source: NVD
CVE-2026-2729 MEDIUM - 5.3

The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public pay...

Published: May 05, 2026
Source: NVD
CVE-2026-7823 CRITICAL - 9.8

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the p...

Published: May 05, 2026
Source: NVD
CVE-2026-7822 MEDIUM - 6.3

A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

Published: May 05, 2026
Source: NVD
CVE-2026-7812 HIGH - 7.3

A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack c...

Published: May 05, 2026
Source: NVD
CVE-2026-7811 HIGH - 7.3

A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack rem...

Published: May 05, 2026
Source: NVD