CVE-2026-10134 — CVSS 10.0 (critical): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow…
CVE-2026-53576 — CVSS 10.0 (critical): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API…
CVE-2026-10561 — CVSS 10.0 (critical): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication…
CVE-2026-25470 — CVSS 10.0 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows…
CVE-2026-52704 — CVSS 10.0 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code…
CVE-2026-45132 — CVSS 10.0 (critical): CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow…
CVE-2026-45131 — CVSS 10.0 (critical): CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml)…
CVE-2026-43898 — CVSS 10.0 (critical): SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to…
CVE-2026-45829 — CVSS 10.0 (critical): A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated…
CVE-2026-44006 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get…
CVE-2026-44005 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic…
CVE-2026-43997 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the…
CVE-2026-42288 — CVSS 10.0 (critical): ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication…
CVE-2026-42298 — CVSS 10.0 (critical): Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker…
CVE-2026-41196 — CVSS 10.0 (critical): Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a…
CVE-2026-40911 — CVSS 10.0 (critical): WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied…
CVE-2026-39337 — CVSS 10.0 (critical): ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in…
CVE-2026-28505 — CVSS 10.0 (critical): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in…
CVE-2026-4745: Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This…
CVE-2026-26954 — CVSS 10.0 (critical): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping…
CVE-2026-27597 — CVSS 10.0 (critical): Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the…
CVE-2026-26216 — CVSS 10.0 (critical): Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a…
CVE-2026-25587 — CVSS 10.0 (critical): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via…
CVE-2026-23830 — CVSS 10.0 (critical): SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being…
CVE-2026-24871: Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage.This issue affects…
CVE-2025-61937 — CVSS 10.0 (critical): The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of…
CVE-2026-22686 — CVSS 10.0 (critical): Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape…
CVE-2025-54322 — CVSS 10.0 (critical): Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The…
CVE-2025-65037 — CVSS 10.0 (critical): Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a…
CVE-2025-62521 — CVSS 10.0 (critical): ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in…
CVE-2025-65108 — CVSS 10.0 (critical): md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown…
CVE-2025-49372 — CVSS 10.0 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows…
CVE-2025-60206 — CVSS 10.0 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in Beplusthemes Alone alone allows Code Injection.This issue…
CVE-2025-59528 — CVSS 10.0 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote…
CVE-2025-41243 — CVSS 10.0 (critical): Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered…
CVE-2025-55728 — CVSS 10.0 (critical): XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and…
CVE-2025-55727 — CVSS 10.0 (critical): XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and…
CVE-2022-31491 — CVSS 10.0 (critical): Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote…
CVE-2025-53577 — CVSS 10.0 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS global-dns allows Remote Code Inclusion.This…
CVE-2011-10013: Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization…
CVE-2011-10011: WeBid 1.0.2 contains a remote code injection vulnerability in the converter.php script, where unsanitized input in the to parameter of a…
CVE-2025-5120 — CVSS 10.0 (critical): A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted…
CVE-2025-34077: An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to…
CVE-2025-49302 — CVSS 10.0 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code…
CVE-2025-6512 — CVSS 10.0 (critical): On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with…
CVE-2025-49132 — CVSS 10.0 (critical): Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale…