Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,297
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1 - 20 of 3,927 CVEs
CVE-2026-59827 CRITICAL - 9.9

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of ...

Vendor: metabase
Product: metabase
Published: Jul 09, 2026
Source: NVD
CVE-2026-59826 CRITICAL - 9.1

Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 dat...

Vendor: metabase
Product: metabase
Published: Jul 09, 2026
Source: NVD
CVE-2026-59726 CRITICAL - 10.0

Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminal_execute, obt...

Vendor: ruvnet
Product: ruflo
Published: Jul 09, 2026
Source: NVD
CVE-2026-14261 CRITICAL - 9.1

A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.

Vendor: Xerte
Product: Xerte Online Tools
Published: Jul 09, 2026
Source: NVD
CVE-2026-12116 CRITICAL - 9.8

A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.

Vendor: Xerte
Product: Xerte Online Tools
Published: Jul 09, 2026
Source: NVD
CVE-2026-5955 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection. This issue affects BiEticaret: before v3.3.57.

Published: Jul 09, 2026
Source: NVD
CVE-2026-2342 CRITICAL - 9.3

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respon...

Published: Jul 09, 2026
Source: NVD
CVE-2026-15158 CRITICAL - 9.8

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or ....

Vendor: creativethemeshq
Product: Blocksy Companion
Published: Jul 09, 2026
Source: NVD
CVE-2026-14245 CRITICAL - 9.8

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side ver...

Vendor: cyberlord92
Product: miniOrange OTP Login, Verification and SMS Notifications
Published: Jul 09, 2026
Source: NVD
CVE-2026-47646 CRITICAL - 9.3

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.

Vendor: microsoft
Product: dynamics_365_customer_voice
Published: Jul 09, 2026
Source: NVD
CVE-2026-15113 CRITICAL - 9.6

Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Vendor: Google
Product: Chrome
Published: Jul 08, 2026
Source: NVD
CVE-2026-52200 CRITICAL - 9.8

An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk

Published: Jul 08, 2026
Source: NVD
CVE-2026-53649 CRITICAL - 9.6

Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE

Vendor: go
Product: github.com/BishopFox/joro
Published: Jul 08, 2026
Source: GitHub
CVE-2026-52831 CRITICAL - 10.0

Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE

Vendor: go
Product: github.com/nuclio/nuclio
Published: Jul 08, 2026
Source: GitHub
CVE-2026-9074 CRITICAL - 9.1

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

Published: Jul 08, 2026
Source: NVD
CVE-2026-59702 CRITICAL - 9.3

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to a...

Vendor: repomix
Product: repomix
Published: Jul 08, 2026
Source: NVD
CVE-2026-15062 CRITICAL - 9.6

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database co...

Vendor: Snowflake
Product: Snowpark Python SDK
Published: Jul 08, 2026
Source: NVD
CVE-2026-58480 CRITICAL - 9.8

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exp...

Vendor: Creative Themes
Product: Blocksy Companion
Published: Jul 08, 2026
Source: NVD
CVE-2026-54061 CRITICAL - 9.1

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and sen...

Vendor: dgraph-io
Product: dgraph
Published: Jul 08, 2026
Source: NVD
CVE-2026-8307 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported...

Published: Jul 08, 2026
Source: NVD