CVE Database

109206+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-7533
4.3 MEDIUM

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to …

May 28, 2026
CVE-2026-3173
6.5 MEDIUM

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due …

May 28, 2026
CVE-2026-9796
6.5 MEDIUM

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin …

May 28, 2026
CVE-2026-9795
7.3 HIGH

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any …

May 28, 2026
CVE-2026-9794
5.3 MEDIUM

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security …

May 28, 2026
CVE-2026-9793
5.9 MEDIUM

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the …

May 28, 2026
CVE-2026-9792
6.5 MEDIUM

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce …

May 28, 2026
CVE-2026-9791
4.3 MEDIUM

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account …

May 28, 2026
CVE-2026-9241
4.3 MEDIUM

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and …

May 28, 2026
CVE-2026-9228
4.3 MEDIUM

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 …

May 28, 2026
CVE-2026-7802
8.8 HIGH

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to …

May 28, 2026
CVE-2026-5737
6.5 MEDIUM

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a …

May 28, 2026
CVE-2026-32999
9.0 CRITICAL

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a …

May 28, 2026
CVE-2026-32998

This vulnerability in Veeam Service Provider Console allows for remote code execution.

May 28, 2026
CVE-2026-32997

A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

May 28, 2026
CVE-2026-32996

This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation.

May 28, 2026
CVE-2026-32995
7.5 HIGH

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly …

May 28, 2026
CVE-2026-2374
7.2 HIGH

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, …

May 28, 2026
CVE-2026-9789

A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a …

May 28, 2026
CVE-2026-8915
8.8 HIGH

Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31.

May 28, 2026
CVE-2026-4888
4.3 MEDIUM

The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to …

May 28, 2026
CVE-2026-9739

Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. …

May 27, 2026
CVE-2026-46544
5.3 MEDIUM

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses …

May 27, 2026
CVE-2026-46538
5.9 MEDIUM

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and …

May 27, 2026
CVE-2026-46416
6.3 MEDIUM

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple …

May 27, 2026
CVE-2026-46414
8.8 HIGH

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in …

May 27, 2026
CVE-2026-46402
8.1 HIGH

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log …

May 27, 2026
CVE-2026-45322
7.8 HIGH

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection …

May 27, 2026
CVE-2026-9208
8.8 HIGH

Tanium addressed an unauthorized code execution vulnerability in Connect.

May 27, 2026
CVE-2026-45152
7.8 HIGH

uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of …

May 27, 2026
CVE-2026-45083
9.8 CRITICAL

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi …

May 27, 2026
CVE-2026-44720

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access …

May 27, 2026
CVE-2026-44247
6.8 MEDIUM

Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming …

May 27, 2026
CVE-2026-47270
6.3 MEDIUM

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, …

May 27, 2026
CVE-2026-47269
7.4 HIGH

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request …

May 27, 2026
CVE-2026-45137
8.2 HIGH

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to …

May 27, 2026
CVE-2026-45136
7.8 HIGH

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly …

May 27, 2026
CVE-2026-44713
8.8 HIGH

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and …

May 27, 2026
CVE-2026-44712
8.2 HIGH

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE …

May 27, 2026
CVE-2026-44711
7.9 HIGH

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and …

May 27, 2026
CVE-2026-44710
4.6 MEDIUM

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to …

May 27, 2026
CVE-2026-44709
7.8 HIGH

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any …

May 27, 2026
CVE-2026-44660
7.5 HIGH

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a …

May 27, 2026
CVE-2026-21785
4.0 MEDIUM

A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers …

May 27, 2026
CVE-2026-9759
5.5 MEDIUM

ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service

May 27, 2026
CVE-2026-8364
9.8 CRITICAL

Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, …

May 27, 2026
CVE-2026-8363
9.8 CRITICAL

A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:

May 27, 2026
CVE-2026-8362
9.8 CRITICAL

A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome

May 27, 2026
CVE-2026-8361
7.5 HIGH

A path traversal vulnerability exists in WOSDefaultHttpModule.dll when processing a URL path starting with /woshome

May 27, 2026
CVE-2026-8360
7.5 HIGH

Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server …

May 27, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.