CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-7330
7.2 HIGH

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient …

May 8, 2026
CVE-2026-5127
8.8 HIGH

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in …

May 8, 2026
CVE-2026-43284
8.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a …

May 8, 2026
CVE-2026-4935
8.6 HIGH

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow …

May 8, 2026
CVE-2025-67888
7.3 HIGH

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter …

May 8, 2026
CVE-2025-55449
7.3 HIGH

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

May 8, 2026
CVE-2024-53326
7.3 HIGH

LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.

May 8, 2026
CVE-2024-46508
7.5 HIGH

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than …

May 8, 2026
CVE-2024-46507
7.3 HIGH

A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the …

May 8, 2026
CVE-2024-45257
7.3 HIGH

A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server …

May 8, 2026
CVE-2024-33288
7.3 HIGH

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.

May 8, 2026
CVE-2024-27686
7.5 HIGH

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data …

May 8, 2026
CVE-2026-8148
7.8 HIGH

NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.

May 8, 2026
CVE-2026-8138
8.8 HIGH

A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. …

May 8, 2026
CVE-2026-8137
8.8 HIGH

A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url …

May 8, 2026
CVE-2023-42346
7.5 HIGH

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

May 8, 2026
CVE-2023-42344
7.3 HIGH

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

May 8, 2026
CVE-2022-26522
7.8 HIGH

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in …

May 8, 2026
CVE-2026-8133
7.3 HIGH

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of …

May 8, 2026
CVE-2026-8132
7.3 HIGH

A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument …

May 8, 2026
CVE-2026-8131
7.3 HIGH

A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the …

May 8, 2026
CVE-2026-8130
7.3 HIGH

A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid …

May 8, 2026
CVE-2026-8129
7.3 HIGH

A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of …

May 8, 2026
CVE-2026-43943
7.8 HIGH

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit …

May 8, 2026
CVE-2026-43940
8.4 HIGH

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers …

May 8, 2026
CVE-2026-42275
8.7 HIGH

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through …

May 8, 2026
CVE-2026-42271
8.8 HIGH KEV

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints …

May 8, 2026
CVE-2026-42264
7.4 HIGH

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, …

May 8, 2026
CVE-2026-42261
7.1 HIGH

PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST …

May 8, 2026
CVE-2026-42203
8.8 HIGH

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST …

May 8, 2026
CVE-2026-41900
8.8 HIGH

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code …

May 8, 2026
CVE-2026-8128
7.3 HIGH

A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of …

May 8, 2026
CVE-2026-8126
7.3 HIGH

A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument …

May 8, 2026
CVE-2026-6411
7.3 HIGH

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata …

May 7, 2026
CVE-2026-7541
7.5 HIGH

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with …

May 7, 2026
CVE-2026-41105
8.1 HIGH

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

May 7, 2026
CVE-2026-40213
7.4 HIGH

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token …

May 7, 2026
CVE-2026-35435
8.6 HIGH

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

May 7, 2026
CVE-2026-34327
8.2 HIGH

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

May 7, 2026
CVE-2026-33111
7.5 HIGH

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a …

May 7, 2026
CVE-2026-32207
8.8 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

May 7, 2026
CVE-2026-26164
7.5 HIGH

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a …

May 7, 2026
CVE-2026-26129
7.5 HIGH

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

May 7, 2026
CVE-2026-8098
7.3 HIGH

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument …

May 7, 2026
CVE-2026-42449
8.5 HIGH

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder …

May 7, 2026
CVE-2026-42047
8.6 HIGH

Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that …

May 7, 2026
CVE-2026-43510
7.6 HIGH

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another …

May 7, 2026
CVE-2026-42501
7.5 HIGH

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any …

May 7, 2026
CVE-2026-42499
7.5 HIGH

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

May 7, 2026
CVE-2026-42239
8.1 HIGH

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. …

May 7, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.