CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-57572
10.0 CRITICAL

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch arguments. …

Jul 6, 2026
CVE-2026-57571
9.6 CRITICAL

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from …

Jul 6, 2026
CVE-2026-34038
9.9 CRITICAL

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment …

Jul 6, 2026
CVE-2026-9181
9.8 CRITICAL

ArcGIS Server contains a directory traversal vulnerability. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to …

Jul 6, 2026
CVE-2026-48614
9.9 CRITICAL

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root …

Jul 6, 2026
CVE-2026-48316
10.0 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of …

Jul 6, 2026
CVE-2026-5268
9.1 CRITICAL

An authentication bypass vulnerability exists in the default SFTP server component utilized across the Ciena products listed. This vulnerability allows a remote, unauthenticated attacker to …

Jul 6, 2026
CVE-2025-53830
9.1 CRITICAL

Anti-Virus for ownCloud is an anti-virus application for file storage, synchronization, and sharing application ownCloud. Versions of Anti-Virus for ownCloud before 1.2.3 are vulnerable to …

Jul 6, 2026
CVE-2025-53827
9.1 CRITICAL

ownCloud Core is the server-side component of the file storage, synchronization, and sharing application ownCloud Classic. In versions prior to 10.15.3, the Updater on ownCloud …

Jul 6, 2026
CVE-2026-56140
9.8 CRITICAL

Improper Input Validation vulnerability in Apache Camel AWS SNS component. The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, …

Jul 6, 2026
CVE-2026-48205
9.1 CRITICAL

Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component. The camel-dns producers read DNS operation parameters - the resolver to query, …

Jul 6, 2026
CVE-2026-48204
9.8 CRITICAL

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from …

Jul 6, 2026
CVE-2026-48203
9.1 CRITICAL

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel Solr …

Jul 6, 2026
CVE-2026-46456
9.8 CRITICAL

Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy …

Jul 6, 2026
CVE-2026-46455
9.8 CRITICAL

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check …

Jul 6, 2026
CVE-2026-46454
9.8 CRITICAL

Improper Input Validation vulnerability in Apache Camel Cometd Component. The camel-cometd component maps inbound Bayeux (CometD) message headers into the Camel Exchange without applying a …

Jul 6, 2026
CVE-2026-43867
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads that …

Jul 6, 2026
CVE-2026-40047
9.1 CRITICAL

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool …

Jul 6, 2026
CVE-2026-24014
9.8 CRITICAL

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If …

Jul 6, 2026
CVE-2026-24013
9.1 CRITICAL

Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests …

Jul 6, 2026
CVE-2026-6382
9.1 CRITICAL

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before …

Jul 6, 2026
CVE-2026-14808
9.8 CRITICAL

Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain …

Jul 6, 2026
CVE-2026-14807
9.8 CRITICAL

ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and …

Jul 6, 2026
CVE-2026-58426
9.6 CRITICAL

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Jul 3, 2026
CVE-2026-58422
9.8 CRITICAL

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Jul 3, 2026
CVE-2026-58289
9.0 CRITICAL

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Jul 3, 2026
CVE-2026-27780
9.8 CRITICAL

Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks.

Jul 3, 2026
CVE-2026-22874
9.6 CRITICAL

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

Jul 3, 2026
CVE-2026-20896
9.8 CRITICAL

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers …

Jul 3, 2026
CVE-2026-20706
9.1 CRITICAL

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.

Jul 3, 2026
CVE-2026-56015
9.1 CRITICAL

Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add() passes the prefix string to the trie builder …

Jul 3, 2026
CVE-2026-4321
9.8 CRITICAL

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows …

Jul 3, 2026
CVE-2026-14544
9.8 CRITICAL

A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to …

Jul 3, 2026
CVE-2026-9079
9.8 CRITICAL

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get …

Jul 3, 2026
CVE-2026-8927
9.1 CRITICAL

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if …

Jul 3, 2026
CVE-2026-8926
9.1 CRITICAL

When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like …

Jul 3, 2026
CVE-2026-8925
9.8 CRITICAL

The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it …

Jul 3, 2026
CVE-2026-8924
9.1 CRITICAL

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables …

Jul 3, 2026
CVE-2026-11856
9.8 CRITICAL

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one …

Jul 3, 2026
CVE-2026-11564
9.1 CRITICAL

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that …

Jul 3, 2026
CVE-2026-10536
9.8 CRITICAL

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the …

Jul 3, 2026
CVE-2026-9725
9.1 CRITICAL

The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 …

Jul 3, 2026
CVE-2026-13768
10.0 CRITICAL

Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns …

Jul 3, 2026
CVE-2026-57100
9.9 CRITICAL

Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.

Jul 2, 2026
CVE-2026-45499
9.9 CRITICAL

Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate privileges over a network.

Jul 2, 2026
CVE-2026-41106
9.3 CRITICAL

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

Jul 2, 2026
CVE-2026-52830
9.4 CRITICAL

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The …

Jul 2, 2026
CVE-2026-38971
9.1 CRITICAL

ardupilot through Plane-4.6.3 was found to contain an out-of-bounds read issue in libraries/GCS_MAVLink/GCS_serial_control.cpp in GCS_MAVLINK::handle_serial_control().

Jul 2, 2026
CVE-2026-38968
9.8 CRITICAL

ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during …

Jul 2, 2026
CVE-2026-59099
9.1 CRITICAL

Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse …

Jul 2, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.