Critical-severity CVEs
32129 critical-severity CVEs (10999 with public PoCs). Browse the most dangerous vulnerabilities.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-11387 | Critical | 9.8 | 2026-07-01 | The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account… |
CVE-2026-10539 | Critical | 9.0 | 2026-07-01 | A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauth… |
CVE-2026-7840 | Critical | 9.8 | 2026-07-01 | UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in… |
CVE-2026-7839 | Critical | 9.1 | 2026-07-01 | UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when setting… |
CVE-2026-6070 | Critical | 9.1 | 2026-07-01 | The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to in… |
CVE-2026-56700 | Critical | 9.8 | 2026-06-30 | Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapte… |
CVE-2026-56415 | Critical | 10.0 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attac… |
CVE-2026-56413 | Critical | 10.0 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts… |
CVE-2026-56278 | Critical | 9.1 | 2026-06-30 | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRES… |
CVE-2026-55721 | Critical | 9.3 | 2026-06-30 | Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incor… |
CVE-2026-50110 | Critical | 9.2 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are… |
CVE-2026-58449 | Critical | 9.8 | 2026-06-30 | txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which pe… |
CVE-2026-50003 | Critical | 9.8 | 2026-06-30 | A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both r… |
CVE-2026-7874 | Critical | 9.1 | 2026-06-30 | IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanis… |
CVE-2026-7873 | Critical | 9.9 | 2026-06-30 | IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling… |
CVE-2026-7871 | Critical | 9.8 | 2026-06-30 | IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data… |
CVE-2026-7803 | Critical | 9.8 | 2026-06-30 | IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields. |
CVE-2026-7663 | Critical | 9.1 | 2026-06-30 | IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper… |
CVE-2026-11712 | Critical | 9.3 | 2026-06-30 | IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system. |
CVE-2026-11708 | Critical | 9.3 | 2026-06-30 | IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system. |