CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-7198
9.8 CRITICAL

CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, …

Jun 2, 2026
CVE-2026-42684
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection. This issue affects …

Jun 2, 2026
CVE-2025-53209
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0.

Jun 2, 2026
CVE-2026-8206
9.8 CRITICAL

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 …

Jun 2, 2026
CVE-2026-25879
9.8 CRITICAL

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. …

Jun 1, 2026
CVE-2026-40965
10.0 CRITICAL

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys …

Jun 1, 2026
CVE-2018-25427
9.8 CRITICAL

Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address …

Jun 1, 2026
CVE-2026-9319
9.0 CRITICAL

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security.

Jun 1, 2026
CVE-2026-9311
9.0 CRITICAL

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.

Jun 1, 2026
CVE-2026-8644
9.1 CRITICAL

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.

Jun 1, 2026
CVE-2026-22872
9.1 CRITICAL

Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the …

Jun 1, 2026
CVE-2026-45132
10.0 CRITICAL

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access …

Jun 1, 2026
CVE-2026-45131
10.0 CRITICAL

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork …

Jun 1, 2026
CVE-2026-44211
9.6 CRITICAL

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack …

Jun 1, 2026
CVE-2026-42672
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This …

Jun 1, 2026
CVE-2026-48879
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17.

Jun 1, 2026
CVE-2026-48866
9.6 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal. This issue affects Gravity Forms: …

Jun 1, 2026
CVE-2026-42682
9.1 CRITICAL

Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6.

Jun 1, 2026
CVE-2026-42680
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through …

Jun 1, 2026
CVE-2026-7858
9.8 CRITICAL

A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA …

Jun 1, 2026
CVE-2026-42252
9.1 CRITICAL

Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization …

Jun 1, 2026
CVE-2026-48188
9.1 CRITICAL

An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication …

Jun 1, 2026
CVE-2026-10187
9.8 CRITICAL

A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management …

May 31, 2026
CVE-2018-25412
9.8 CRITICAL

Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted …

May 30, 2026
CVE-2026-45700
9.8 CRITICAL

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE …

May 29, 2026
CVE-2026-45697
9.8 CRITICAL

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default …

May 29, 2026
CVE-2026-45372
9.9 CRITICAL

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every …

May 29, 2026
CVE-2026-9051
9.1 CRITICAL

There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading …

May 29, 2026
CVE-2026-47744
9.9 CRITICAL

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take …

May 29, 2026
CVE-2026-44650
9.1 CRITICAL

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. …

May 29, 2026
CVE-2026-44649
9.8 CRITICAL

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. …

May 29, 2026
CVE-2026-7786
9.8 CRITICAL

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can …

May 29, 2026
CVE-2026-5386
9.1 CRITICAL

The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password …

May 29, 2026
CVE-2026-45661
9.9 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows …

May 29, 2026
CVE-2026-45633
9.9 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. …

May 29, 2026
CVE-2026-45632
9.9 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, …

May 29, 2026
CVE-2026-45631
10.0 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge …

May 29, 2026
CVE-2026-45630
9.0 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner …

May 29, 2026
CVE-2026-45629
9.9 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any …

May 29, 2026
CVE-2026-45628
9.6 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them …

May 29, 2026
CVE-2026-45625
9.9 CRITICAL

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and …

May 29, 2026
CVE-2026-45663
9.9 CRITICAL

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. …

May 29, 2026
CVE-2026-44962
9.9 CRITICAL

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This …

May 29, 2026
CVE-2026-4290
9.1 CRITICAL

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and …

May 29, 2026
CVE-2026-10042
9.8 CRITICAL

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, …

May 29, 2026
CVE-2026-46376
9.8 CRITICAL

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel …

May 29, 2026
CVE-2026-45312
9.9 CRITICAL

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user …

May 29, 2026
CVE-2026-10071
9.8 CRITICAL

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code …

May 29, 2026
CVE-2026-9559
9.9 CRITICAL

A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the …

May 29, 2026
CVE-2025-41277
9.8 CRITICAL

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall …

May 29, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.