CVE Database

108856+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-53346
4.3 MEDIUM

Missing Authorization vulnerability in ThimPress Thim Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thim Core: from n/a through 2.3.3.

Jun 2, 2026
CVE-2025-53345
8.8 HIGH

Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3.

Jun 2, 2026
CVE-2025-53302
5.3 MEDIUM

Missing Authorization vulnerability in Anton Shevchuk Constructor allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Constructor: from n/a through 1.6.5.

Jun 2, 2026
CVE-2025-53209
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0.

Jun 2, 2026
CVE-2025-52766
6.5 MEDIUM

Missing Authorization vulnerability in Printeers Printeers Print & Ship allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Printeers Print & Ship: from …

Jun 2, 2026
CVE-2025-52759
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnboundStudio Accordion FAQ allows Reflected XSS. This issue affects Accordion FAQ: from n/a …

Jun 2, 2026
CVE-2026-9730
4.3 MEDIUM

The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due …

Jun 2, 2026
CVE-2026-9723
4.3 MEDIUM

The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due …

Jun 2, 2026
CVE-2026-9722
4.3 MEDIUM

The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing …

Jun 2, 2026
CVE-2026-9599
4.3 MEDIUM

The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing …

Jun 2, 2026
CVE-2026-9234
4.3 MEDIUM

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability …

Jun 2, 2026
CVE-2026-8885
6.4 MEDIUM

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. …

Jun 2, 2026
CVE-2026-8422
4.3 MEDIUM

The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This …

Jun 2, 2026
CVE-2026-4081
6.4 MEDIUM

The ZeM STL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [zemstl] shortcode in all versions up to and including 1.0. This …

Jun 2, 2026
CVE-2026-4080
6.4 MEDIUM

The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This …

Jun 2, 2026
CVE-2026-4071
4.3 MEDIUM

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce …

Jun 2, 2026
CVE-2026-3620
4.4 MEDIUM

The Word Replacer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'replacement' parameter in all versions up to, and including, 0.4. This …

Jun 2, 2026
CVE-2026-3514
7.5 HIGH

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the …

Jun 2, 2026
CVE-2026-2425
6.1 MEDIUM

The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new_domain' parameter in all versions up to, and including, 2.0.0.1 …

Jun 2, 2026
CVE-2026-2382
6.4 MEDIUM

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw_fs_get_file' AJAX action in all versions …

Jun 2, 2026
CVE-2026-1784
8.8 HIGH

The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on …

Jun 2, 2026
CVE-2026-1451
6.1 MEDIUM

The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'a' parameter in versions up to, and including, 0.6.2 due to insufficient …

Jun 2, 2026
CVE-2026-1450
6.1 MEDIUM

The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mode' parameter in versions up to, and including, 0.6.2 due to insufficient …

Jun 2, 2026
CVE-2025-5085
5.5 MEDIUM

The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blogrole_link’ parameter in all versions up to, and including, 1.31 …

Jun 2, 2026
CVE-2026-8293
7.5 HIGH

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker …

Jun 2, 2026
CVE-2026-8206
9.8 CRITICAL

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 …

Jun 2, 2026
CVE-2026-3198
6.5 MEDIUM

MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not …

Jun 2, 2026
CVE-2026-10583
4.7 MEDIUM

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. Affected by this issue is the function Import of the file internal/http/tts_config.go of …

Jun 2, 2026
CVE-2026-10581
6.3 MEDIUM

A flaw has been found in DedeCMS 5.7.88. Affected by this vulnerability is the function base64_decode of the file /plus/download.php?open=1. This manipulation of the argument …

Jun 2, 2026
CVE-2026-3871
6.5 MEDIUM

A buffer overflow vulnerability in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary …

Jun 2, 2026
CVE-2026-3870
6.5 MEDIUM

A buffer overflow vulnerability in the UPnP AddPortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary …

Jun 2, 2026
CVE-2026-3722
6.4 MEDIUM

The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site …

Jun 2, 2026
CVE-2026-10568
6.3 MEDIUM

A vulnerability was detected in itsourcecode Fees Management System 1.0. Affected is an unknown function of the file /manage_payment.php. The manipulation of the argument ID …

Jun 2, 2026
CVE-2026-10567
3.5 LOW

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. …

Jun 2, 2026
CVE-2026-10566
5.3 MEDIUM

A weakness has been identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function Message.check_instruct_content of the file metagpt/schema.py. Executing a manipulation of the …

Jun 2, 2026
CVE-2026-10565
3.1 LOW

A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component …

Jun 2, 2026
CVE-2026-10510
6.1 MEDIUM

Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in …

Jun 2, 2026
CVE-2026-10100
4.4 MEDIUM

The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background, Text Color, …

Jun 2, 2026
CVE-2026-10559
6.3 MEDIUM

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation …

Jun 2, 2026
CVE-2026-10558
6.3 MEDIUM

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument …

Jun 2, 2026
CVE-2026-10550
6.3 MEDIUM

A weakness has been identified in elunez eladmin up to 2.7. This vulnerability affects unknown code of the file App.java of the component Application Deployment …

Jun 2, 2026
CVE-2026-10548
5.3 MEDIUM

A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential …

Jun 2, 2026
CVE-2026-10529
2.4 LOW

A weakness has been identified in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is an unknown function of the file src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java of the component Task Scheduling …

Jun 2, 2026
CVE-2026-9050
4.3 MEDIUM

The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not …

Jun 2, 2026
CVE-2026-9048
4.3 MEDIUM

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it …

Jun 2, 2026
CVE-2026-10528
3.3 LOW

A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the …

Jun 2, 2026
CVE-2026-10514
2.4 LOW

A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross …

Jun 2, 2026
CVE-2026-10302
6.3 MEDIUM

A flaw has been found in itsourcecode Fees Management System 1.0. The impacted element is an unknown function of the file /manage_fee.php. Executing a manipulation …

Jun 2, 2026
CVE-2026-10301
4.3 MEDIUM

A vulnerability was detected in itsourcecode Fees Management System 1.0. The affected element is an unknown function of the file index.php. Performing a manipulation of …

Jun 2, 2026
CVE-2026-28511
4.3 MEDIUM

eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results …

Jun 1, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.