CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-39836
7.5 HIGH

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

May 7, 2026
CVE-2026-39820
7.5 HIGH

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

May 7, 2026
CVE-2026-33814
7.5 HIGH

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

May 7, 2026
CVE-2026-33811
7.5 HIGH

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

May 7, 2026
CVE-2026-8083
7.3 HIGH

A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the …

May 7, 2026
CVE-2026-44742
7.2 HIGH

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in …

May 7, 2026
CVE-2026-44244
7.8 HIGH

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. …

May 7, 2026
CVE-2026-44243
7.1 HIGH

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a …

May 7, 2026
CVE-2026-42284
8.1 HIGH

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" …

May 7, 2026
CVE-2026-42215
8.8 HIGH

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as …

May 7, 2026
CVE-2026-42214
7.8 HIGH

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without …

May 7, 2026
CVE-2026-41906
7.1 HIGH

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope …

May 7, 2026
CVE-2026-41905
7.7 HIGH

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via …

May 7, 2026
CVE-2026-41904
7.6 HIGH

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store …

May 7, 2026
CVE-2026-7413
7.2 HIGH

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, …

May 7, 2026
CVE-2026-7821
7.4 HIGH

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted …

May 7, 2026
CVE-2026-6973
7.2 HIGH KEV

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code …

May 7, 2026
CVE-2026-5788
7.0 HIGH

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

May 7, 2026
CVE-2026-5787
8.9 HIGH

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain …

May 7, 2026
CVE-2026-5786
8.8 HIGH

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

May 7, 2026
CVE-2025-65122
7.5 HIGH

Regex Denial of Service in youtube-regex npm package through version 1.0.5.

May 7, 2026
CVE-2026-42011
7.4 HIGH

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name …

May 7, 2026
CVE-2026-41688
7.7 HIGH

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but …

May 7, 2026
CVE-2026-41654
8.1 HIGH

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any …

May 7, 2026
CVE-2026-41505
8.7 HIGH

RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. …

May 7, 2026
CVE-2026-41422
8.3 HIGH

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() …

May 7, 2026
CVE-2025-63705
8.8 HIGH

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.

May 7, 2026
CVE-2026-41554
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through …

May 7, 2026
CVE-2026-41490
8.3 HIGH

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries …

May 7, 2026
CVE-2026-30495
8.8 HIGH

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The …

May 7, 2026
CVE-2025-14341
8.3 HIGH

Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. …

May 7, 2026
CVE-2026-8093
8.1 HIGH

Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of …

May 7, 2026
CVE-2026-8092
8.1 HIGH

Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with …

May 7, 2026
CVE-2026-8090
7.3 HIGH

Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.

May 7, 2026
CVE-2026-6002
8.8 HIGH

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue …

May 7, 2026
CVE-2026-5784
8.8 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from …

May 7, 2026
CVE-2026-42285
7.5 HIGH

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger …

May 7, 2026
CVE-2026-42010
7.1 HIGH

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A …

May 7, 2026
CVE-2026-41644
7.1 HIGH

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any …

May 7, 2026
CVE-2026-41643
7.5 HIGH

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) …

May 7, 2026
CVE-2026-41642
7.5 HIGH

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability …

May 7, 2026
CVE-2026-3953
8.8 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), …

May 7, 2026
CVE-2026-33588
8.1 HIGH

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the …

May 7, 2026
CVE-2026-28201
7.8 HIGH

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to …

May 7, 2026
CVE-2026-6805
7.5 HIGH

Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline …

May 7, 2026
CVE-2025-68060
7.6 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection. This issue affects Team …

May 7, 2026
CVE-2025-1978
8.3 HIGH

Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, …

May 7, 2026
CVE-2024-43384
8.0 HIGH

A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer.

May 7, 2026
CVE-2026-4430
7.8 HIGH

Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters. This issue affects LibreOffice: from 26.2 before 26.2.3, …

May 7, 2026
CVE-2025-9661
8.1 HIGH

OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects …

May 7, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.