CVE Database

36609+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-40075
7.5 HIGH

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is …

May 5, 2026
CVE-2026-40068
8.8 HIGH

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker …

May 5, 2026
CVE-2026-39852
8.2 HIGH

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between …

May 5, 2026
CVE-2026-39849
8.8 HIGH

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL …

May 5, 2026
CVE-2026-39383
7.2 HIGH

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST …

May 5, 2026
CVE-2026-7857
7.2 HIGH

A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The …

May 5, 2026
CVE-2026-7856
7.2 HIGH

A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing …

May 5, 2026
CVE-2026-44331
8.1 HIGH

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a …

May 5, 2026
CVE-2026-40280
7.5 HIGH

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive …

May 5, 2026
CVE-2026-35397
8.8 HIGH

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated …

May 5, 2026
CVE-2026-34596
7.0 HIGH

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When …

May 5, 2026
CVE-2026-34464
8.8 HIGH

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed …

May 5, 2026
CVE-2026-34462
7.8 HIGH

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR …

May 5, 2026
CVE-2026-34461
7.8 HIGH

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The …

May 5, 2026
CVE-2026-34459
8.8 HIGH

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that …

May 5, 2026
CVE-2026-34458
8.8 HIGH

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to …

May 5, 2026
CVE-2026-33489
7.5 HIGH

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a …

May 5, 2026
CVE-2026-33324
8.8 HIGH

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to …

May 5, 2026
CVE-2026-33190
7.5 HIGH

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, …

May 5, 2026
CVE-2026-32936
7.5 HIGH

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and …

May 5, 2026
CVE-2026-32934
7.5 HIGH

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory …

May 5, 2026
CVE-2024-52911
7.5 HIGH

Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14.

May 5, 2026
CVE-2026-7855
8.8 HIGH

A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tggl_asp of the file /tggl.asp of the component HTTP Request …

May 5, 2026
CVE-2026-42997
7.7 HIGH

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a …

May 5, 2026
CVE-2026-30923
7.5 HIGH

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 …

May 5, 2026
CVE-2026-7851
7.2 HIGH

A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to …

May 5, 2026
CVE-2026-25589
8.8 HIGH

RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed …

May 5, 2026
CVE-2026-25588
8.8 HIGH

RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the …

May 5, 2026
CVE-2026-25243
8.8 HIGH

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated …

May 5, 2026
CVE-2026-23631
8.1 HIGH

Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to …

May 5, 2026
CVE-2026-23479
8.8 HIGH

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` …

May 5, 2026
CVE-2026-7412
8.6 HIGH

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated …

May 5, 2026
CVE-2026-43070
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte …

May 5, 2026
CVE-2026-43063
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: xfs: don't irele after failing to iget in xfs_attri_recover_work xlog_recovery_iget* never set @ip to a …

May 5, 2026
CVE-2026-43062
7.1 HIGH

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp …

May 5, 2026
CVE-2026-43060
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a …

May 5, 2026
CVE-2026-31196
8.8 HIGH

The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, …

May 5, 2026
CVE-2026-31195
8.8 HIGH

The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, …

May 5, 2026
CVE-2025-66369
7.5 HIGH

An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, …

May 5, 2026
CVE-2026-4304
7.5 HIGH

The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due …

May 5, 2026
CVE-2026-36355
7.7 HIGH

The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the …

May 5, 2026
CVE-2026-29168
7.3 HIGH

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 …

May 5, 2026
CVE-2026-7833
7.2 HIGH

A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component …

May 5, 2026
CVE-2026-7832
7.0 HIGH

A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The …

May 5, 2026
CVE-2026-6918
7.5 HIGH

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

May 5, 2026
CVE-2026-6261
8.8 HIGH

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function …

May 5, 2026
CVE-2026-43573
7.7 HIGH

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with …

May 5, 2026
CVE-2026-43571
8.8 HIGH

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers …

May 5, 2026
CVE-2026-43569
8.8 HIGH

OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers …

May 5, 2026
CVE-2026-43533
8.6 HIGH

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage …

May 5, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.