CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-33833
8.2 HIGH

Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over …

May 12, 2026
CVE-2026-33821
7.7 HIGH

Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.

May 12, 2026
CVE-2026-33112
8.8 HIGH

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

May 12, 2026
CVE-2026-33110
8.8 HIGH

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

May 12, 2026
CVE-2026-32204
7.8 HIGH

External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.

May 12, 2026
CVE-2026-32177
7.3 HIGH

Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

May 12, 2026
CVE-2026-32161
7.5 HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an …

May 12, 2026
CVE-2026-31240
7.5 HIGH

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records (PUT /memories/{memory_id}) are …

May 12, 2026
CVE-2026-31232
8.8 HIGH

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a …

May 12, 2026
CVE-2026-20767
7.8 HIGH

Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. …

May 12, 2026
CVE-2026-20714
7.8 HIGH

Out-of-bounds write for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a escalation of privilege. Unprivileged …

May 12, 2026
CVE-2025-53844
8.8 HIGH

A out-of-bounds write vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11 allows attacker to execute unauthorized code or …

May 12, 2026
CVE-2025-53681
7.2 HIGH

An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through …

May 12, 2026
CVE-2025-46311
7.5 HIGH

An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS …

May 12, 2026
CVE-2025-43524
8.8 HIGH

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app …

May 12, 2026
CVE-2026-5089
7.3 HIGH

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 …

May 12, 2026
CVE-2026-43993
8.2 HIGH

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch() on agent-supplied URLs without validating scheme, …

May 12, 2026
CVE-2026-43991
8.4 HIGH

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument …

May 12, 2026
CVE-2026-43990
8.4 HIGH

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' …

May 12, 2026
CVE-2026-43989
8.5 HIGH

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and …

May 12, 2026
CVE-2026-43513
7.5 HIGH

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from …

May 12, 2026
CVE-2026-42498
7.3 HIGH

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from …

May 12, 2026
CVE-2026-41284
7.5 HIGH

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from …

May 12, 2026
CVE-2026-31225
8.8 HIGH

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe …

May 12, 2026
CVE-2026-31224
8.8 HIGH

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files …

May 12, 2026
CVE-2026-31223
8.8 HIGH

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler …

May 12, 2026
CVE-2026-31222
8.8 HIGH

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files …

May 12, 2026
CVE-2026-31221
7.8 HIGH

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load …

May 12, 2026
CVE-2026-31219
8.8 HIGH

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When a user provides …

May 12, 2026
CVE-2026-31218
8.8 HIGH

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model …

May 12, 2026
CVE-2026-30810
8.8 HIGH

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800

May 12, 2026
CVE-2026-30808
8.1 HIGH

Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800

May 12, 2026
CVE-2026-30807
8.8 HIGH

Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800

May 12, 2026
CVE-2023-27753
8.0 HIGH

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.

May 12, 2026
CVE-2026-8111
8.8 HIGH

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

May 12, 2026
CVE-2026-8110
7.8 HIGH

Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

May 12, 2026
CVE-2026-8051
7.2 HIGH

OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

May 12, 2026
CVE-2026-7432
7.8 HIGH

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

May 12, 2026
CVE-2026-43983
8.1 HIGH

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates …

May 12, 2026
CVE-2026-43939
7.3 HIGH

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the thread posting and reply feature accepts user-supplied content via a a post …

May 12, 2026
CVE-2026-43938
8.1 HIGH

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a …

May 12, 2026
CVE-2026-43937
8.8 HIGH

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to …

May 12, 2026
CVE-2026-42260
8.2 HIGH

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts …

May 12, 2026
CVE-2026-8390
7.3 HIGH

Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.

May 12, 2026
CVE-2026-8389
7.3 HIGH

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.

May 12, 2026
CVE-2026-35071
8.2 HIGH

Dell PowerScale InsightIQ, versions 6.0.0 through 6.2.0, contains an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability. A high …

May 12, 2026
CVE-2026-27851
7.4 HIGH

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to …

May 12, 2026
CVE-2026-45218
7.7 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects …

May 12, 2026
CVE-2026-45214
8.5 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects …

May 12, 2026
CVE-2026-45213
7.6 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from …

May 12, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.