CVE Database

108856+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-49448
9.8 CRITICAL

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This …

Jun 2, 2026
CVE-2026-49443
8.8 HIGH

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an …

Jun 2, 2026
CVE-2026-49144
6.5 MEDIUM

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. …

Jun 2, 2026
CVE-2026-49143
8.8 HIGH

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by …

Jun 2, 2026
CVE-2026-47201
8.5 HIGH

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when …

Jun 2, 2026
CVE-2026-45289
5.3 MEDIUM

CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens …

Jun 2, 2026
CVE-2026-42849
9.3 CRITICAL

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in …

Jun 2, 2026
CVE-2026-41569
6.1 MEDIUM

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather …

Jun 2, 2026
CVE-2026-10624
4.3 MEDIUM

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the …

Jun 2, 2026
CVE-2026-10620
7.3 HIGH

A flaw has been found in code-projects Student Admission System 1.0. Affected is an unknown function of the file /index.php. This manipulation of the argument …

Jun 2, 2026
CVE-2026-10619
7.3 HIGH

A vulnerability was detected in sayan365 student-management-system up to 7f3c9ce7d410332335c2affac93a385485051800. This impacts an unknown function. The manipulation results in improper authentication. The attack can be …

Jun 2, 2026
CVE-2026-8036
7.1 HIGH

Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL …

Jun 2, 2026
CVE-2026-8035
7.1 HIGH

Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due …

Jun 2, 2026
CVE-2026-5385

An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before …

Jun 2, 2026
CVE-2026-5076
9.8 CRITICAL

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores …

Jun 2, 2026
CVE-2026-5074
6.5 MEDIUM

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, …

Jun 2, 2026
CVE-2026-5073
7.5 HIGH

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, …

Jun 2, 2026
CVE-2026-49120
8.5 HIGH

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating …

Jun 2, 2026
CVE-2026-48682
5.9 MEDIUM

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simple_packet_parser_ng.cpp, after validating that the packet contains at least sizeof(ipv4_header_t) …

Jun 2, 2026
CVE-2026-48598

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter …

Jun 2, 2026
CVE-2026-48597

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL …

Jun 2, 2026
CVE-2026-48596

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2. Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings …

Jun 2, 2026
CVE-2026-48595

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin …

Jun 2, 2026
CVE-2026-48594

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When …

Jun 2, 2026
CVE-2026-47265
7.5 HIGH

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent …

Jun 2, 2026
CVE-2026-42342
7.5 HIGH

React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can …

Jun 2, 2026
CVE-2026-42211
8.1 HIGH

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote …

Jun 2, 2026
CVE-2026-41577
7.5 HIGH

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on …

Jun 2, 2026
CVE-2026-40181
6.1 MEDIUM

React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger …

Jun 2, 2026
CVE-2026-38967
9.8 CRITICAL

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.

Jun 2, 2026
CVE-2026-35202

Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass …

Jun 2, 2026
CVE-2026-35049
6.5 MEDIUM

wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an …

Jun 2, 2026
CVE-2026-34993
6.4 MEDIUM

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. …

Jun 2, 2026
CVE-2026-34077
7.5 HIGH

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a …

Jun 2, 2026
CVE-2026-33553
6.1 MEDIUM

Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.

Jun 2, 2026
CVE-2026-33245
8.0 HIGH

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a …

Jun 2, 2026
CVE-2026-30586
6.1 MEDIUM

Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo …

Jun 2, 2026
CVE-2026-28299
8.2 HIGH

SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash …

Jun 2, 2026
CVE-2026-1829
8.8 HIGH

The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the …

Jun 2, 2026
CVE-2026-10702
4.3 MEDIUM

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.

Jun 2, 2026
CVE-2026-10701
7.5 HIGH

Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 151.0.3.

Jun 2, 2026
CVE-2026-10617
7.3 HIGH

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook …

Jun 2, 2026
CVE-2026-10616
4.3 MEDIUM

A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component …

Jun 2, 2026
CVE-2026-10608
7.3 HIGH

A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results …

Jun 2, 2026
CVE-2026-10607
7.3 HIGH

A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads …

Jun 2, 2026
CVE-2026-10584
5.9 MEDIUM

Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive …

Jun 2, 2026
CVE-2025-64390
7.4 HIGH

A privilege escalation vulnerability exists in PlayStation 4 firmware versions 13.00 through 13.02. The BD-J (Blu-ray Disc Java) sandbox can be escaped through a malformed …

Jun 2, 2026
CVE-2021-4479
4.0 MEDIUM

Dräger Atlan A350 software versions 1.00 through 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending …

Jun 2, 2026
CVE-2021-4478
8.2 HIGH

Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. A crafted .gdt file can …

Jun 2, 2026
CVE-2019-25724
6.5 MEDIUM

Dräger Infinity M300 patient worn monitors with software version VG2.x and earlier contain a network-based denial of service vulnerability that allows attackers with access to …

Jun 2, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.