CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-42665
9.3 CRITICAL

Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.

Jun 15, 2026
CVE-2026-42639
9.3 CRITICAL

Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.

Jun 15, 2026
CVE-2026-42386
9.3 CRITICAL

Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.

Jun 15, 2026
CVE-2026-42381
9.3 CRITICAL

Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.

Jun 15, 2026
CVE-2026-40798
9.3 CRITICAL

Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.

Jun 15, 2026
CVE-2026-40772
10.0 CRITICAL

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

Jun 15, 2026
CVE-2026-40771
9.3 CRITICAL

Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions.

Jun 15, 2026
CVE-2026-39591
9.9 CRITICAL

Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.

Jun 15, 2026
CVE-2026-39583
9.8 CRITICAL

Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.

Jun 15, 2026
CVE-2026-39530
9.3 CRITICAL

Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.

Jun 15, 2026
CVE-2026-39519
9.3 CRITICAL

Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.

Jun 15, 2026
CVE-2026-39512
9.3 CRITICAL

Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions.

Jun 15, 2026
CVE-2026-39511
9.3 CRITICAL

Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.

Jun 15, 2026
CVE-2026-39502
9.3 CRITICAL

Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.

Jun 15, 2026
CVE-2026-39493
9.3 CRITICAL

Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.

Jun 15, 2026
CVE-2026-39492
9.3 CRITICAL

Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.

Jun 15, 2026
CVE-2026-39465
9.1 CRITICAL

Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.

Jun 15, 2026
CVE-2026-39441
9.3 CRITICAL

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.

Jun 15, 2026
CVE-2026-34901
9.8 CRITICAL

Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.

Jun 15, 2026
CVE-2026-27053
9.8 CRITICAL

Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.

Jun 15, 2026
CVE-2026-50890
9.8 CRITICAL

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive …

Jun 15, 2026
CVE-2026-50887
9.1 CRITICAL

A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a …

Jun 15, 2026
CVE-2026-50886
9.1 CRITICAL

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.

Jun 15, 2026
CVE-2026-50883
9.6 CRITICAL

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.

Jun 15, 2026
CVE-2026-50880
9.8 CRITICAL

An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.

Jun 15, 2026
CVE-2026-50873
9.8 CRITICAL

An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or …

Jun 15, 2026
CVE-2026-50872
9.8 CRITICAL

An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a …

Jun 15, 2026
CVE-2026-50871
9.8 CRITICAL

An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying …

Jun 15, 2026
CVE-2026-50869
9.8 CRITICAL

An issue in the api/plugin.php component of Bludit v3.19.0 allows attackers to execute a directory traversal via supplying a crafted request.

Jun 15, 2026
CVE-2026-49952
9.1 CRITICAL

Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore …

Jun 15, 2026
CVE-2026-48114
9.8 CRITICAL

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the …

Jun 15, 2026
CVE-2026-45390
9.1 CRITICAL

In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, …

Jun 15, 2026
CVE-2026-45388
9.1 CRITICAL

In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not …

Jun 15, 2026
CVE-2026-39196
9.8 CRITICAL

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to …

Jun 15, 2026
CVE-2026-39006
9.8 CRITICAL

An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.

Jun 15, 2026
CVE-2026-38812
9.8 CRITICAL

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with …

Jun 15, 2026
CVE-2026-38329
9.8 CRITICAL

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks …

Jun 15, 2026
CVE-2026-38065
9.8 CRITICAL

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.

Jun 15, 2026
CVE-2026-38064
9.8 CRITICAL

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.

Jun 15, 2026
CVE-2026-38063
9.8 CRITICAL

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.

Jun 15, 2026
CVE-2026-38062
9.8 CRITICAL

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.

Jun 15, 2026
CVE-2026-38061
9.8 CRITICAL

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.

Jun 15, 2026
CVE-2026-38060
9.8 CRITICAL

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.

Jun 15, 2026
CVE-2026-36537
9.8 CRITICAL

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter …

Jun 15, 2026
CVE-2026-30121
9.1 CRITICAL

remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability.

Jun 15, 2026
CVE-2026-30120
9.8 CRITICAL

remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.

Jun 15, 2026
CVE-2026-9862
9.8 CRITICAL

Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service …

Jun 15, 2026
CVE-2026-52704
10.0 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF …

Jun 15, 2026
CVE-2018-25436
9.8 CRITICAL

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php …

Jun 15, 2026
CVE-2026-8935
9.8 CRITICAL

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend …

Jun 15, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.