Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,839
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,881 - 15,900 of 38,837 CVEs
CVE-2026-4304 HIGH - 7.5

The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possi...

Published: May 05, 2026
Source: NVD
CVE-2026-36356 CRITICAL - 9.1

The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Published: May 05, 2026
Source: NVD
CVE-2026-36355 HIGH - 7.7

The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _...

Published: May 05, 2026
Source: NVD
CVE-2026-34408 CRITICAL - 9.1

An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.

Published: May 05, 2026
Source: NVD
CVE-2026-29168 HIGH - 7.3

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server'sย  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache HTTP Server
Published: May 05, 2026
Source: NVD
CVE-2026-7833 HIGH - 7.2

A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exp...

Published: May 05, 2026
Source: NVD
CVE-2026-7832 HIGH - 7.0

A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the...

Published: May 05, 2026
Source: NVD
CVE-2026-6918 HIGH - 7.5

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

Vendor: eclipse
Product: openj9
Published: May 05, 2026
Source: NVD
CVE-2026-28510 MEDIUM - 5.9

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an...

Vendor: elabftw
Product: elabftw
Published: May 05, 2026
Source: NVD
CVE-2026-27694 MEDIUM - 5.4

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafte...

Vendor: traccar
Product: traccar
Published: May 05, 2026
Source: NVD
CVE-2026-27693 MEDIUM - 5.4

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML co...

Vendor: traccar
Product: traccar
Published: May 05, 2026
Source: NVD
CVE-2026-27644 MEDIUM - 6.5

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported field...

Vendor: traccar
Product: traccar
Published: May 05, 2026
Source: NVD
CVE-2026-6262 MEDIUM - 6.5

The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory...

Published: May 05, 2026
Source: NVD
CVE-2026-6261 HIGH - 8.8

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it pos...

Published: May 05, 2026
Source: NVD
CVE-2026-43574 MEDIUM - 6.5

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43573 HIGH - 7.7

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43572 MEDIUM - 5.3

OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, all...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43571 HIGH - 8.8

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time p...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43570 MEDIUM - 6.5

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended reposi...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43569 HIGH - 8.8

OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically select...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD