CVEs from 2026
Total
14,691
critical
critical 1,318
high
high 4,976
medium
medium 4,752
low
low 501
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 621
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46137 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq cont… | |||
| CVE-2026-46135 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Init… | |||
| CVE-2026-46115 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity … | |||
| CVE-2026-8364 | critical | 9.8 | 9.8 | 9d ago | Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo,… | |||
| CVE-2026-8363 | critical | 9.8 | 9.8 | 9d ago | A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources: | |||
| CVE-2026-8362 | critical | 9.8 | 9.8 | 9d ago | A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome | |||
| CVE-2026-25879 | critical | 9.8 | 9.8 | 9d ago | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When… | |||
| CVE-2026-44887 | critical | 9.8 | 9.8 | 9d ago | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. S… | |||
| CVE-2026-44888 | critical | 9.8 | 9.8 | 9d ago | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly… | |||
| CVE-2026-8175 | critical | 9.8 | 9.8 | 9d ago | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affecte… | |||
| CVE-2026-7524 | critical | 9.8 | 9.8 | 9d ago | IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction. | |||
| CVE-2026-46039 | critical | 9.8 | 9.8 | 9d ago | In the Linux kernel, the following vulnerability has been resolved: rxgk: Fix potential integer overflow in length check Fix potential integer overflow in rxgk_extract_token() when checking the len… | |||
| CVE-2026-45988 | critical | 9.8 | 9.8 | 9d ago | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a … | |||
| CVE-2026-45972 | critical | 9.8 | 9.8 | 9d ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open()… | |||
| CVE-2026-45898 | critical | 9.8 | 9.8 | 9d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") chan… | |||
| CVE-2026-42758 | critical | 9.8 | 9.8 | 9d ago | Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253. | |||
| CVE-2026-42731 | critical | 9.8 | 9.8 | 9d ago | Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a… | |||
| CVE-2026-8760 | critical | 9.8 | 9.8 | 10d ago | The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout c… | |||
| CVE-2026-8401 | critical | 9.8 | 9.8 | 10d ago | Important: thunderbird security update | |||
| CVE-2026-8956 | critical | 9.8 | 9.8 | 10d ago | Important: thunderbird security update | |||
| CVE-2026-44966 | critical | 9.8 | 9.8 | 10d ago | Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the… | |||
| CVE-2026-9642 | critical | 9.8 | 9.8 | 10d ago | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-3660 | critical | 9.8 | 9.8 | 10d ago | IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the ap… | |||
| CVE-2026-7251 | critical | 9.8 | 9.8 | 10d ago | Eppendorf BioFlo 320 is vulnerable due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access enabled, they can gain full… | |||
| CVE-2026-44668 | critical | 9.8 | 9.8 | 10d ago | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invo… | |||
| CVE-2026-9170 | critical | 9.8 | 9.8 | 10d ago | IBM HTTP Server 8.5, and 9.0 | |||
| CVE-2026-8633 | critical | 9.8 | 9.8 | 10d ago | IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code executi… | |||
| CVE-2026-48902 | critical | 9.8 | 9.8 | 10d ago | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | |||
| CVE-2026-48691 | critical | 9.8 | 9.8 | 10d ago | FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attr… | |||
| CVE-2026-35222 | critical | 9.8 | 9.8 | 10d ago | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | |||
| CVE-2026-24212 | critical | 9.8 | 9.8 | 10d ago | NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to code execution, escalatio… | |||
| CVE-2026-35221 | critical | 9.8 | 9.8 | 10d ago | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | |||
| CVE-2026-40383 | critical | 9.8 | 9.8 | 10d ago | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | |||
| CVE-2026-48899 | critical | 9.8 | 9.8 | 10d ago | An improper access check allows privilege escalation through the com_users batch task. | |||
| CVE-2026-35223 | critical | 9.8 | 9.8 | 10d ago | An improper access check allows unauthorized access to com_config webservice endpoints. | |||
| CVE-2026-48904 | critical | 9.8 | 9.8 | 10d ago | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | |||
| CVE-2026-48898 | critical | 9.8 | 9.8 | 10d ago | An improper access check allows privilege escalation through the com_users batch task. | |||
| CVE-2026-48686 | critical | 9.8 | 9.8 | 10d ago | FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() … | |||
| CVE-2026-9543 | critical | 9.8 | 9.8 | 10d ago | A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipul… | |||
| CVE-2026-48689 | critical | 9.8 | 9.8 | 11d ago | FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer,… | |||
| CVE-2026-48687 | critical | 9.8 | 9.8 | 11d ago | FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (l… | |||
| CVE-2026-8094 | critical | 9.8 | 9.8 | 11d ago | RHSA-2026:20566: firefox security update (Important) | |||
| CVE-2026-8376 | critical | 9.8 | 9.8 | 11d ago | Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of th… | |||
| CVE-2026-9477 | critical | 9.8 | 9.8 | 11d ago | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interf… | |||
| CVE-2026-9478 | critical | 9.8 | 9.8 | 11d ago | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setParentalRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing… | |||
| CVE-2026-9476 | critical | 9.8 | 9.8 | 11d ago | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interfa… | |||
| CVE-2026-9475 | critical | 9.8 | 9.8 | 11d ago | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipu… | |||
| CVE-2026-9458 | critical | 9.8 | 9.8 | 11d ago | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such… | |||
| CVE-2026-9457 | critical | 9.8 | 9.8 | 11d ago | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interf… | |||
| CVE-2026-9456 | critical | 9.8 | 9.8 | 11d ago | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation … | |||
| CVE-2026-9455 | critical | 9.8 | 9.8 | 11d ago | A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. T… | |||
| CVE-2026-9454 | critical | 9.8 | 9.8 | 11d ago | A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setOpenVpnCertGenerationCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Int… | |||
| CVE-2026-9436 | critical | 9.8 | 9.8 | 12d ago | A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Execut… | |||
| CVE-2026-9435 | critical | 9.8 | 9.8 | 12d ago | A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Perfor… | |||
| CVE-2026-9434 | critical | 9.8 | 9.8 | 12d ago | A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. … | |||
| CVE-2026-9433 | critical | 9.8 | 9.8 | 12d ago | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. T… | |||
| CVE-2026-9432 | critical | 9.8 | 9.8 | 12d ago | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Managemen… | |||
| CVE-2026-9408 | critical | 9.8 | 9.8 | 12d ago | A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interf… | |||
| CVE-2026-9407 | critical | 9.8 | 9.8 | 12d ago | A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setFirewallType of the file /cgi-bin/cstecgi.cgi of the component We… | |||
| CVE-2026-9406 | critical | 9.8 | 9.8 | 12d ago | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a m… | |||
| CVE-2026-9405 | critical | 9.8 | 9.8 | 12d ago | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Perf… | |||
| CVE-2026-9404 | critical | 9.8 | 9.8 | 12d ago | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulat… | |||
| CVE-2026-9388 | critical | 9.8 | 9.8 | 12d ago | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface.… | |||
| CVE-2026-9387 | critical | 9.8 | 9.8 | 12d ago | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component Web Management Interfa… | |||
| CVE-2026-9386 | critical | 9.8 | 9.8 | 12d ago | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipu… | |||
| CVE-2026-9385 | critical | 9.8 | 9.8 | 12d ago | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Th… | |||
| CVE-2026-9384 | critical | 9.8 | 9.8 | 12d ago | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. … | |||
| CVE-2026-32253 | critical | 9.8 | 9.8 | 14d ago | Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are h… | |||
| CVE-2026-44930 | critical | 9.8 | 9.8 | 14d ago | An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommende… | |||
| CVE-2026-6960 | critical | 9.8 | 9.8 | 15d ago | The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versio… | |||
| CVE-2026-48207 | critical | 9.8 | 9.8 | 15d ago | Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resol… | |||
| CVE-2026-5118 | critical | 9.8 | 9.8 | 15d ago | The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from P… | |||
| CVE-2026-43501 | critical | 9.8 | 9.8 | 15d ago | In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header… | |||
| CVE-2026-6279 | critical | 9.8 | 9.8 | 16d ago | The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `w… | |||
| CVE-2026-8631 | critical | 9.8 | 9.8 | 16d ago | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution v… | |||
| CVE-2026-9141 | critical | 9.8 | 9.8 | 16d ago | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access intern… | |||
| CVE-2026-9139 | critical | 9.8 | 9.8 | 16d ago | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-… | |||
| CVE-2026-3593 | critical | 9.8 | 9.8 | 16d ago | A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BI… | |||
| CVE-2026-33278 | critical | 9.8 | 9.8 | 16d ago | NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying … | |||
| CVE-2026-7637 | critical | 9.8 | 9.8 | 17d ago | The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This mak… | |||
| CVE-2026-24214 | critical | 9.8 | 9.8 | 17d ago | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution,… | |||
| CVE-2026-24213 | critical | 9.8 | 9.8 | 17d ago | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to code executio… | |||
| CVE-2026-24207 | critical | 9.8 | 9.8 | 17d ago | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of … | |||
| CVE-2026-24206 | critical | 9.8 | 9.8 | 17d ago | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, deni… | |||
| CVE-2026-24163 | critical | 9.8 | 9.8 | 17d ago | NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execut… | |||
| CVE-2026-24142 | critical | 9.8 | 9.8 | 17d ago | NVIDIA TRT-LLM for any platform contains a deserialization vulnerability and unsafe serialized handle. A successful exploit of this vulnerability might lead to code execution, data tampering, and i… | |||
| CVE-2026-7284 | critical | 9.8 | 9.8 | 17d ago | The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due … | |||
| CVE-2026-6555 | critical | 9.8 | 9.8 | 17d ago | The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in… | |||
| CVE-2026-31607 | critical | 9.8 | 9.8 | 17d ago | In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_… | |||
| CVE-2026-8495 | critical | 9.8 | 9.8 | 17d ago | This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerabili… | |||
| CVE-2026-33642 | critical | 9.8 | 9.8 | 17d ago | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned … | |||
| CVE-2026-8605 | critical | 9.8 | 9.8 | 17d ago | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | |||
| CVE-2026-8603 | critical | 9.8 | 9.8 | 17d ago | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | |||
| CVE-2026-36829 | critical | 9.8 | 9.8 | 17d ago | An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based … | |||
| CVE-2026-37281 | critical | 9.8 | 9.8 | 17d ago | An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter. | |||
| CVE-2026-31072 | critical | 9.8 | 9.8 | 17d ago | APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization | |||
| CVE-2026-31070 | critical | 9.8 | 9.8 | 17d ago | The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/… | |||
| CVE-2026-30118 | critical | 9.8 | 9.8 | 17d ago | scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers… | |||
| CVE-2026-30117 | critical | 9.8 | 9.8 | 17d ago | scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execut… | |||
| CVE-2026-44159 | critical | 9.8 | 9.8 | 17d ago | Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 202… |