CVE Database

108856+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-20175
6.1 MEDIUM

A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an …

Jun 3, 2026
CVE-2025-71314
5.5 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Recover from panthor_gpu_flush_caches() failures We have seen a few cases where the whole memory …

Jun 3, 2026
CVE-2025-71313
5.5 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_workqueue() alloc_workqueue() can return NULL on memory allocation …

Jun 3, 2026
CVE-2019-25720
6.5 MEDIUM

Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all software versions that allows …

Jun 3, 2026
CVE-2026-6657
6.1 MEDIUM

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises …

Jun 3, 2026
CVE-2026-44281

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with …

Jun 3, 2026
CVE-2026-42321

GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS …

Jun 3, 2026
CVE-2026-42320

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read …

Jun 3, 2026
CVE-2026-42318

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with …

Jun 3, 2026
CVE-2026-42317

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete …

Jun 3, 2026
CVE-2026-3276

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This …

Jun 3, 2026
CVE-2026-37462
7.5 HIGH

An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP …

Jun 3, 2026
CVE-2026-36748
9.0 CRITICAL

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

Jun 3, 2026
CVE-2026-36576
9.8 CRITICAL

An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted …

Jun 3, 2026
CVE-2026-36574
7.8 HIGH

A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.

Jun 3, 2026
CVE-2022-31114

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior …

Jun 3, 2026
CVE-2026-8404
3.1 LOW

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows …

Jun 3, 2026
CVE-2026-7666
3.1 LOW

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after …

Jun 3, 2026
CVE-2026-6873
3.1 LOW

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name …

Jun 3, 2026
CVE-2026-5241
9.6 CRITICAL

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The …

Jun 3, 2026
CVE-2026-48587
3.1 LOW

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` …

Jun 3, 2026
CVE-2026-47325

ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The …

Jun 3, 2026
CVE-2026-47324

ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) …

Jun 3, 2026
CVE-2026-44546
3.7 LOW

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat …

Jun 3, 2026
CVE-2026-44545
5.3 MEDIUM

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could …

Jun 3, 2026
CVE-2026-37460
7.5 HIGH

Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying …

Jun 3, 2026
CVE-2026-35193
3.1 LOW

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header …

Jun 3, 2026
CVE-2026-10729

An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site …

Jun 3, 2026
CVE-2025-70101
6.5 MEDIUM

An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a …

Jun 3, 2026
CVE-2025-70100
5.5 MEDIUM

A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a …

Jun 3, 2026
CVE-2025-60477
5.0 MEDIUM

A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying …

Jun 3, 2026
CVE-2024-47273
4.3 MEDIUM

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote …

Jun 3, 2026
CVE-2024-47263
4.1 MEDIUM

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote …

Jun 3, 2026
CVE-2023-52951
5.9 MEDIUM

A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.

Jun 3, 2026
CVE-2022-49042
7.8 HIGH

An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute …

Jun 3, 2026
CVE-2022-49036
7.8 HIGH

An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local …

Jun 3, 2026
CVE-2026-35085
8.8 HIGH

A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.

Jun 3, 2026
CVE-2026-35084
8.8 HIGH

A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.

Jun 3, 2026
CVE-2026-35083
8.8 HIGH

A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.

Jun 3, 2026
CVE-2026-35082
8.8 HIGH

The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input.

Jun 3, 2026
CVE-2026-35081
8.1 HIGH

The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input.

Jun 3, 2026
CVE-2026-35080
8.1 HIGH

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Jun 3, 2026
CVE-2026-35079
8.1 HIGH

The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Jun 3, 2026
CVE-2026-35078
8.1 HIGH

The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Jun 3, 2026
CVE-2026-35077
8.1 HIGH

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Jun 3, 2026
CVE-2026-35076
8.1 HIGH

The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Jun 3, 2026
CVE-2026-35075
9.8 CRITICAL

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

Jun 3, 2026
CVE-2026-10722
3.3 LOW

A vulnerability has been found in cilium ebpf up to 0.21.0. This affects the function loadRawSpec of the file btf/btf.go of the component LoadCollectionSpec/LoadCollectionSpecFromReader. Such …

Jun 3, 2026
CVE-2025-41259

SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted …

Jun 3, 2026
CVE-2026-47065
9.8 CRITICAL

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy …

Jun 3, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.