CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-7252
8.1 HIGH

The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion …

May 7, 2026
CVE-2026-6692
8.8 HIGH

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is …

May 7, 2026
CVE-2026-4348
7.5 HIGH

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, …

May 7, 2026
CVE-2026-41641
7.2 HIGH

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL …

May 7, 2026
CVE-2026-41143
8.8 HIGH

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. …

May 7, 2026
CVE-2026-41139
8.8 HIGH

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression …

May 7, 2026
CVE-2026-41670
8.2 HIGH

Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from …

May 7, 2026
CVE-2026-41669
8.2 HIGH

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method …

May 7, 2026
CVE-2026-41660
7.1 HIGH

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users …

May 7, 2026
CVE-2026-41640
7.5 HIGH

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package …

May 7, 2026
CVE-2026-41142
8.8 HIGH

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to …

May 7, 2026
CVE-2026-41002
7.2 HIGH

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config …

May 7, 2026
CVE-2026-40981
7.5 HIGH

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially …

May 7, 2026
CVE-2026-8032
7.3 HIGH

A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation …

May 6, 2026
CVE-2026-44118
7.8 HIGH

OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to …

May 6, 2026
CVE-2026-44116
8.6 HIGH

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF …

May 6, 2026
CVE-2026-44115
8.8 HIGH

OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell …

May 6, 2026
CVE-2026-44114
7.8 HIGH

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces …

May 6, 2026
CVE-2026-44113
7.7 HIGH

OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers …

May 6, 2026
CVE-2026-44110
8.8 HIGH

OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute …

May 6, 2026
CVE-2026-43585
8.1 HIGH

OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to …

May 6, 2026
CVE-2026-43584
8.8 HIGH

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including …

May 6, 2026
CVE-2026-43580
7.7 HIGH

OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including …

May 6, 2026
CVE-2026-43576
7.7 HIGH

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The …

May 6, 2026
CVE-2026-40076
8.8 HIGH

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint …

May 6, 2026
CVE-2026-8018
8.1 HIGH

Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. …

May 6, 2026
CVE-2026-8016
8.8 HIGH

Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted …

May 6, 2026
CVE-2026-8007
7.5 HIGH

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform …

May 6, 2026
CVE-2026-8002
8.8 HIGH

Use after free in Audio in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via …

May 6, 2026
CVE-2026-8001
8.3 HIGH

Use After Free in Printing in Google Chrome on Linux, Mac, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process …

May 6, 2026
CVE-2026-8000
8.8 HIGH

Insufficient validation of untrusted input in ChromeDriver in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a …

May 6, 2026
CVE-2026-7997
7.8 HIGH

Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via …

May 6, 2026
CVE-2026-7995
8.8 HIGH

Out of bounds read in AdFilter in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a …

May 6, 2026
CVE-2026-7994
7.8 HIGH

Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. …

May 6, 2026
CVE-2026-7992
8.8 HIGH

Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to …

May 6, 2026
CVE-2026-7991
8.8 HIGH

Use after free in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code …

May 6, 2026
CVE-2026-7990
7.8 HIGH

Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via …

May 6, 2026
CVE-2026-7988
8.8 HIGH

Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML …

May 6, 2026
CVE-2026-7987
8.8 HIGH

Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted …

May 6, 2026
CVE-2026-7985
8.3 HIGH

Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a …

May 6, 2026
CVE-2026-7984
8.8 HIGH

Use after free in ReadingMode in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code …

May 6, 2026
CVE-2026-7981
8.1 HIGH

Out of bounds read in Codecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via …

May 6, 2026
CVE-2026-7980
8.8 HIGH

Use after free in WebAudio in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted …

May 6, 2026
CVE-2026-7978
8.1 HIGH

Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. …

May 6, 2026
CVE-2026-7976
7.5 HIGH

Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute …

May 6, 2026
CVE-2026-7975
8.3 HIGH

Use after free in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a …

May 6, 2026
CVE-2026-7974
8.8 HIGH

Use after free in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted …

May 6, 2026
CVE-2026-7973
8.8 HIGH

Integer overflow in Dawn in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted …

May 6, 2026
CVE-2026-7970
8.3 HIGH

Use after free in TopChrome in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a …

May 6, 2026
CVE-2026-7967
8.3 HIGH

Insufficient validation of untrusted input in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially …

May 6, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.