CVE Database

36304+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-57913
7.5 HIGH

Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts.

Jun 26, 2026
CVE-2026-57912
7.5 HIGH

Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers.

Jun 26, 2026
CVE-2026-13325
8.5 HIGH

A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain …

Jun 26, 2026
CVE-2026-11702
7.5 HIGH

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the …

Jun 26, 2026
CVE-2026-11625
7.5 HIGH

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes. When an object is initialised before forking, or when the functional interface is …

Jun 26, 2026
CVE-2026-57877
8.6 HIGH

An unauthenticated format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling of externally …

Jun 26, 2026
CVE-2026-57876
7.5 HIGH

An unauthenticated out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when …

Jun 26, 2026
CVE-2026-57875
7.5 HIGH

An unauthenticated NULL pointer dereference vulnerability exists in the HTTP request parsing logic of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. …

Jun 26, 2026
CVE-2026-57874
7.5 HIGH

An unauthenticated buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when …

Jun 26, 2026
CVE-2026-57873
7.5 HIGH

An unauthenticated NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of …

Jun 26, 2026
CVE-2026-57872
7.5 HIGH

An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied …

Jun 26, 2026
CVE-2026-49486
7.5 HIGH

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was …

Jun 26, 2026
CVE-2026-2053
8.3 HIGH

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows …

Jun 26, 2026
CVE-2026-10835
7.7 HIGH

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using …

Jun 26, 2026
CVE-2026-10823
7.5 HIGH

The YMC Filter WordPress plugin before 3.11.3 does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied …

Jun 26, 2026
CVE-2026-50741
8.8 HIGH

Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by …

Jun 26, 2026
CVE-2026-48933
7.5 HIGH

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported …

Jun 26, 2026
CVE-2026-48619
7.5 HIGH

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory …

Jun 26, 2026
CVE-2026-48615
7.5 HIGH

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, …

Jun 26, 2026
CVE-2026-9222
8.1 HIGH

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow …

Jun 26, 2026
CVE-2026-9221
7.5 HIGH

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and …

Jun 26, 2026
CVE-2026-9220
7.5 HIGH

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. …

Jun 26, 2026
CVE-2026-40083
7.2 HIGH

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 …

Jun 25, 2026
CVE-2026-8720
7.5 HIGH

wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the …

Jun 25, 2026
CVE-2026-7532
7.5 HIGH

iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an …

Jun 25, 2026
CVE-2026-7511
7.5 HIGH

PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.

Jun 25, 2026
CVE-2026-6331
7.5 HIGH

HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the …

Jun 25, 2026
CVE-2026-6325
7.5 HIGH

Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.

Jun 25, 2026
CVE-2026-54479
7.3 HIGH

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results …

Jun 25, 2026
CVE-2026-50176
7.5 HIGH

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service …

Jun 25, 2026
CVE-2026-22879
8.1 HIGH

vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability

Jun 25, 2026
CVE-2026-13283
7.5 HIGH

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific …

Jun 25, 2026
CVE-2026-13281
8.3 HIGH

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox …

Jun 25, 2026
CVE-2026-12992
7.4 HIGH

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to …

Jun 25, 2026
CVE-2026-12975
8.5 HIGH

A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker …

Jun 25, 2026
CVE-2026-11800
8.1 HIGH

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to …

Jun 25, 2026
CVE-2026-11703
7.5 HIGH

Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a …

Jun 25, 2026
CVE-2025-71340
8.1 HIGH

picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files that executes …

Jun 25, 2026
CVE-2025-71335
8.1 HIGH

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who …

Jun 25, 2026
CVE-2025-71328
8.3 HIGH

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying …

Jun 25, 2026
CVE-2025-71324
7.5 HIGH

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated …

Jun 25, 2026
CVE-2021-47987
7.5 HIGH

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an …

Jun 25, 2026
CVE-2021-47986
7.5 HIGH

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal …

Jun 25, 2026
CVE-2026-6731
7.5 HIGH

X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS …

Jun 25, 2026
CVE-2026-6679
7.5 HIGH

A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to …

Jun 25, 2026
CVE-2026-38640
7.5 HIGH

A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string.

Jun 25, 2026
CVE-2026-38637
7.5 HIGH

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.

Jun 25, 2026
CVE-2026-37452
7.5 HIGH

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component

Jun 25, 2026
CVE-2026-12473
8.2 HIGH

Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically …

Jun 25, 2026
CVE-2026-57520
7.1 HIGH

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by …

Jun 25, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.