CVE Database

109208+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-40833
7.1 HIGH

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements …

May 27, 2026
CVE-2026-40832
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40831
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40830
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements …

May 27, 2026
CVE-2026-40829
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements …

May 27, 2026
CVE-2026-40828
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40827
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-2237
6.2 MEDIUM

A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on …

May 27, 2026
CVE-2025-66593
6.1 MEDIUM

An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.

May 27, 2026
CVE-2025-66592
6.1 MEDIUM

An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content and …

May 27, 2026
CVE-2025-52747
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox …

May 27, 2026
CVE-2025-30028
8.6 HIGH

A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

May 27, 2026
CVE-2025-22741
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a …

May 27, 2026
CVE-2025-14713
7.5 HIGH

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials …

May 27, 2026
CVE-2025-13593
6.1 MEDIUM

Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation.

May 27, 2026
CVE-2025-13392
8.1 HIGH

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote …

May 27, 2026
CVE-2025-13167
5.4 MEDIUM

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read …

May 27, 2026
CVE-2025-12686
9.8 CRITICAL

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary …

May 27, 2026
CVE-2025-10466
5.9 MEDIUM

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with …

May 27, 2026
CVE-2024-47272
2.7 LOW

Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file …

May 27, 2026
CVE-2024-47271
4.9 MEDIUM

Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive …

May 27, 2026
CVE-2024-47270
2.7 LOW

Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to …

May 27, 2026
CVE-2024-47269
4.9 MEDIUM

Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges …

May 27, 2026
CVE-2024-47268
4.9 MEDIUM

Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information …

May 27, 2026
CVE-2024-47267
2.7 LOW

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows …

May 27, 2026
CVE-2024-11399
6.8 MEDIUM

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks …

May 27, 2026
CVE-2023-52945
7.8 HIGH

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified …

May 27, 2026
CVE-2026-8942
4.3 MEDIUM

The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to …

May 27, 2026
CVE-2026-8906
6.1 MEDIUM

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing …

May 27, 2026
CVE-2026-8832
8.8 HIGH

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in …

May 27, 2026
CVE-2026-8143
7.2 HIGH

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, …

May 27, 2026
CVE-2026-8042
6.4 MEDIUM

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up …

May 27, 2026
CVE-2026-7618
4.9 MEDIUM

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, …

May 27, 2026
CVE-2026-6169
7.2 HIGH

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin …

May 27, 2026
CVE-2026-49001
5.3 MEDIUM

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as …

May 27, 2026
CVE-2026-41704
5.0 MEDIUM

AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. …

May 27, 2026
CVE-2026-41009
5.8 MEDIUM

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line …

May 27, 2026
CVE-2026-40826
4.9 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40825
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements …

May 27, 2026
CVE-2026-40824
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements …

May 27, 2026
CVE-2026-40823
5.5 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40822
4.9 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40821
4.9 MEDIUM

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40819
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40818
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40817
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40816
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in …

May 27, 2026
CVE-2026-40815
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40814
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in …

May 27, 2026
CVE-2026-40813
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in …

May 27, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.