CVE Database

108856+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-8895
6.4 MEDIUM

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, …

Jun 9, 2026
CVE-2026-8883
6.4 MEDIUM

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, …

Jun 9, 2026
CVE-2026-8882
6.4 MEDIUM

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 …

Jun 9, 2026
CVE-2026-8880
6.4 MEDIUM

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute (and other attributes) of the romancart_button shortcode in versions …

Jun 9, 2026
CVE-2026-8841
6.4 MEDIUM

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and …

Jun 9, 2026
CVE-2026-8499
5.3 MEDIUM

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is …

Jun 9, 2026
CVE-2026-7662
6.4 MEDIUM

The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, …

Jun 9, 2026
CVE-2026-41980
5.5 MEDIUM

Permission control vulnerability in the file preview module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Jun 9, 2026
CVE-2026-41979
5.5 MEDIUM

Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect integrity and confidentiality.

Jun 9, 2026
CVE-2026-41978
4.4 MEDIUM

Permission control vulnerability in the clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Jun 9, 2026
CVE-2026-41975
6.3 MEDIUM

Permission management vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect service integrity.

Jun 9, 2026
CVE-2026-41855
8.1 HIGH

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring …

Jun 9, 2026
CVE-2026-41854
4.2 MEDIUM

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side …

Jun 9, 2026
CVE-2026-41853
5.3 MEDIUM

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; …

Jun 9, 2026
CVE-2026-41852
3.7 LOW

A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an …

Jun 9, 2026
CVE-2026-41851
5.3 MEDIUM

Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL …

Jun 9, 2026
CVE-2026-41850
7.5 HIGH

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an …

Jun 9, 2026
CVE-2026-41849
7.5 HIGH

An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted …

Jun 9, 2026
CVE-2026-41848
3.7 LOW

Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then …

Jun 9, 2026
CVE-2026-41847
4.8 MEDIUM

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

Jun 9, 2026
CVE-2026-41846
5.9 MEDIUM

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting …

Jun 9, 2026
CVE-2026-41845
7.1 HIGH

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. …

Jun 9, 2026
CVE-2026-41844
4.2 MEDIUM

A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to …

Jun 9, 2026
CVE-2026-41843
5.9 MEDIUM

Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; …

Jun 9, 2026
CVE-2026-41842
7.5 HIGH

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 …

Jun 9, 2026
CVE-2026-41841
5.9 MEDIUM

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; …

Jun 9, 2026
CVE-2026-41840
5.9 MEDIUM

Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; …

Jun 9, 2026
CVE-2026-41839
4.2 MEDIUM

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID …

Jun 9, 2026
CVE-2026-41838
4.8 MEDIUM

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected …

Jun 9, 2026
CVE-2026-41720
7.4 HIGH

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring …

Jun 9, 2026
CVE-2026-41715
6.1 MEDIUM

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this …

Jun 9, 2026
CVE-2026-41710
5.9 MEDIUM

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the …

Jun 9, 2026
CVE-2026-41007
7.5 HIGH

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 …

Jun 9, 2026
CVE-2026-41006
7.5 HIGH

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. …

Jun 9, 2026
CVE-2026-40984
7.5 HIGH

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 …

Jun 9, 2026
CVE-2026-40983
7.5 HIGH

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 …

Jun 9, 2026
CVE-2026-26236
7.5 HIGH

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized …

Jun 9, 2026
CVE-2026-11623
4.5 MEDIUM

A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use …

Jun 9, 2026
CVE-2026-11603
6.1 MEDIUM

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, …

Jun 9, 2026
CVE-2026-10738
6.4 MEDIUM

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, …

Jun 9, 2026
CVE-2026-10553
4.3 MEDIUM

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to …

Jun 9, 2026
CVE-2026-10024
6.4 MEDIUM

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 …

Jun 9, 2026
CVE-2026-7556
7.2 HIGH

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, …

Jun 9, 2026
CVE-2026-5714
6.4 MEDIUM

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘location_dir’ parameter in all versions up to, and including, 4.1.8 …

Jun 9, 2026
CVE-2026-11621
4.7 MEDIUM

A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. …

Jun 9, 2026
CVE-2026-11620
5.3 MEDIUM

A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation …

Jun 9, 2026
CVE-2026-11619
6.3 MEDIUM

A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component …

Jun 9, 2026
CVE-2026-11618
7.3 HIGH

A vulnerability was determined in DTStack Taier up to 1.4.0. The affected element is the function preHandle of the file taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java of the component Source …

Jun 9, 2026
CVE-2026-10862
6.4 MEDIUM

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due …

Jun 9, 2026
CVE-2026-8795
7.8 HIGH

A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is …

Jun 9, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.