CVE Database

108577+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-34898
7.5 HIGH

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

Jun 15, 2026
CVE-2026-34892
6.5 MEDIUM

Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.

Jun 15, 2026
CVE-2026-34891
7.5 HIGH

Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.

Jun 15, 2026
CVE-2026-34886
7.5 HIGH

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

Jun 15, 2026
CVE-2026-27407
7.2 HIGH

Editor Privilege Escalation in AI Engine <= 3.4.9 versions.

Jun 15, 2026
CVE-2026-27333
8.1 HIGH

Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

Jun 15, 2026
CVE-2026-27089
7.5 HIGH

Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.

Jun 15, 2026
CVE-2026-27053
9.8 CRITICAL

Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.

Jun 15, 2026
CVE-2026-25440
5.3 MEDIUM

Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.

Jun 15, 2026
CVE-2026-25425
7.5 HIGH

Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.

Jun 15, 2026
CVE-2026-24637
8.5 HIGH

Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.

Jun 15, 2026
CVE-2026-23970
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.

Jun 15, 2026
CVE-2025-69332
6.5 MEDIUM

Subscriber Broken Access Control in Bookify <= 1.1.1 versions.

Jun 15, 2026
CVE-2025-68872
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.

Jun 15, 2026
CVE-2025-68851
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.

Jun 15, 2026
CVE-2025-68840
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.

Jun 15, 2026
CVE-2025-68049
6.3 MEDIUM

Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.

Jun 15, 2026
CVE-2025-60175
4.4 MEDIUM

Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.

Jun 15, 2026
CVE-2025-59133
7.5 HIGH

Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.

Jun 15, 2026
CVE-2026-53705
7.6 HIGH

A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size …

Jun 15, 2026
CVE-2026-53704
7.1 HIGH

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the …

Jun 15, 2026
CVE-2026-53703
7.1 HIGH

A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure …

Jun 15, 2026
CVE-2026-52722
7.1 HIGH

A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, …

Jun 15, 2026
CVE-2026-52721
5.3 MEDIUM

Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element …

Jun 15, 2026
CVE-2026-52720
8.8 HIGH

A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a …

Jun 15, 2026
CVE-2026-52719
7.1 HIGH

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream …

Jun 15, 2026
CVE-2026-52718
6.5 MEDIUM

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API …

Jun 15, 2026
CVE-2026-50892
6.5 MEDIUM

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material …

Jun 15, 2026
CVE-2026-50891
8.1 HIGH

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

Jun 15, 2026
CVE-2026-50890
9.8 CRITICAL

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive …

Jun 15, 2026
CVE-2026-50889
7.5 HIGH

An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a …

Jun 15, 2026
CVE-2026-50888
8.1 HIGH

An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying …

Jun 15, 2026
CVE-2026-50887
9.1 CRITICAL

A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a …

Jun 15, 2026
CVE-2026-50886
9.1 CRITICAL

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.

Jun 15, 2026
CVE-2026-50885
7.5 HIGH

Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.

Jun 15, 2026
CVE-2026-50884
8.8 HIGH

Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.

Jun 15, 2026
CVE-2026-50883
9.6 CRITICAL

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.

Jun 15, 2026
CVE-2026-50882
7.5 HIGH

An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Jun 15, 2026
CVE-2026-50881
8.1 HIGH

Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and …

Jun 15, 2026
CVE-2026-50880
9.8 CRITICAL

An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.

Jun 15, 2026
CVE-2026-50879
7.5 HIGH

An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Jun 15, 2026
CVE-2026-50878
7.5 HIGH

An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.

Jun 15, 2026
CVE-2026-50877
7.5 HIGH

An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.

Jun 15, 2026
CVE-2026-50876
5.4 MEDIUM

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Jun 15, 2026
CVE-2026-50875
8.1 HIGH

Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted …

Jun 15, 2026
CVE-2026-50874
8.1 HIGH

An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.

Jun 15, 2026
CVE-2026-50873
9.8 CRITICAL

An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or …

Jun 15, 2026
CVE-2026-50872
9.8 CRITICAL

An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a …

Jun 15, 2026
CVE-2026-50871
9.8 CRITICAL

An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying …

Jun 15, 2026
CVE-2026-50870
7.5 HIGH

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

Jun 15, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.