CVE Database

108577+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-48860
6.5 MEDIUM

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces …

Jun 10, 2026
CVE-2026-48859
5.3 MEDIUM

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon …

Jun 10, 2026
CVE-2026-48858
6.5 MEDIUM

Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 …

Jun 10, 2026
CVE-2026-48856
6.5 MEDIUM

Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers …

Jun 10, 2026
CVE-2026-48855
6.5 MEDIUM

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the …

Jun 10, 2026
CVE-2026-48096
5.0 MEDIUM

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same …

Jun 10, 2026
CVE-2026-46558
8.3 HIGH

Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, …

Jun 10, 2026
CVE-2026-46497

Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This …

Jun 10, 2026
CVE-2026-45569
8.1 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. …

Jun 10, 2026
CVE-2026-45567
8.3 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via …

Jun 10, 2026
CVE-2026-45566
6.1 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by …

Jun 10, 2026
CVE-2026-45565
8.1 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator …

Jun 10, 2026
CVE-2026-25700
7.2 HIGH

Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after …

Jun 10, 2026
CVE-2026-9045
7.8 HIGH

During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local …

Jun 10, 2026
CVE-2026-8637
7.8 HIGH

A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code …

Jun 10, 2026
CVE-2026-8335

A missing authentication check on the Aix‑DB "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint …

Jun 10, 2026
CVE-2026-7516
4.3 MEDIUM

A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the …

Jun 10, 2026
CVE-2026-6090
7.0 HIGH

A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated …

Jun 10, 2026
CVE-2026-53689
7.1 HIGH

libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This …

Jun 10, 2026
CVE-2026-53476
9.6 CRITICAL

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting …

Jun 10, 2026
CVE-2026-53475
9.3 CRITICAL

A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) …

Jun 10, 2026
CVE-2026-53474
9.6 CRITICAL

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper …

Jun 10, 2026
CVE-2026-53473
7.3 HIGH

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational …

Jun 10, 2026
CVE-2026-53471
9.6 CRITICAL

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate …

Jun 10, 2026
CVE-2026-53470
9.6 CRITICAL

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker …

Jun 10, 2026
CVE-2026-53469
9.1 CRITICAL

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper …

Jun 10, 2026
CVE-2026-45564
8.8 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter …

Jun 10, 2026
CVE-2026-45563
4.3 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter …

Jun 10, 2026
CVE-2026-45561
6.5 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the …

Jun 10, 2026
CVE-2026-45560
6.1 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw …

Jun 10, 2026
CVE-2026-45559
4.9 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter …

Jun 10, 2026
CVE-2026-45558
9.9 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and …

Jun 10, 2026
CVE-2026-45556
9.9 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field …

Jun 10, 2026
CVE-2026-45552
9.9 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → …

Jun 10, 2026
CVE-2026-45550
9.1 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() …

Jun 10, 2026
CVE-2026-45549
8.5 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() …

Jun 10, 2026
CVE-2026-11884
6.5 MEDIUM

A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size …

Jun 10, 2026
CVE-2025-10238
6.7 MEDIUM

During an internal security assessment, a potential out-of-bounds write vulnerability was discovered in the BIOS of some ThinkPad products could allow a privileged local user …

Jun 10, 2026
CVE-2025-10237
6.7 MEDIUM

During an internal security assessment, a potential vulnerability was discovered in some ThinkPad embedded controller firmware that could allow a privileged local user to perform …

Jun 10, 2026
CVE-2026-9758
7.3 HIGH

Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted

Jun 10, 2026
CVE-2026-53442
5.3 MEDIUM

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job …

Jun 10, 2026
CVE-2026-53441
5.4 MEDIUM

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could …

Jun 10, 2026
CVE-2026-53440
4.3 MEDIUM

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe …

Jun 10, 2026
CVE-2026-53439
4.3 MEDIUM

Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to …

Jun 10, 2026
CVE-2026-53438
4.3 MEDIUM

A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue …

Jun 10, 2026
CVE-2026-53437
4.3 MEDIUM

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab …

Jun 10, 2026
CVE-2026-53436
4.3 MEDIUM

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative …

Jun 10, 2026
CVE-2026-53435
8.8 HIGH

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or …

Jun 10, 2026
CVE-2026-52759
5.5 MEDIUM

Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can …

Jun 10, 2026
CVE-2026-52758
8.8 HIGH

Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote …

Jun 10, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.