CVE Database

109208+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-45836

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() …

May 26, 2026
CVE-2026-45835

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() …

May 26, 2026
CVE-2026-45834

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() …

May 26, 2026
CVE-2026-45728
7.5 HIGH

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode …

May 26, 2026
CVE-2026-45721
9.0 CRITICAL

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without …

May 26, 2026
CVE-2026-44729
8.7 HIGH

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using …

May 26, 2026
CVE-2026-44723
5.0 MEDIUM

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four …

May 26, 2026
CVE-2026-44680
7.6 HIGH

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, …

May 26, 2026
CVE-2026-44502
4.3 MEDIUM

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. …

May 26, 2026
CVE-2026-44314
4.3 MEDIUM

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams …

May 26, 2026
CVE-2026-43982

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check …

May 26, 2026
CVE-2026-43981

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since …

May 26, 2026
CVE-2026-40384
7.5 HIGH

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

May 26, 2026
CVE-2026-40383
9.8 CRITICAL

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

May 26, 2026
CVE-2026-35223
9.8 CRITICAL

An improper access check allows unauthorized access to com_config webservice endpoints.

May 26, 2026
CVE-2026-35222
9.8 CRITICAL

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

May 26, 2026
CVE-2026-35221
9.8 CRITICAL

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

May 26, 2026
CVE-2026-35220
4.3 MEDIUM

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

May 26, 2026
CVE-2026-30895
6.1 MEDIUM

Lack of output escaping leads to a XSS vector in the readmore links for com_content.

May 26, 2026
CVE-2026-30894
6.1 MEDIUM

Lack of output escaping leads to a XSS vector in the content history component.

May 26, 2026
CVE-2026-2264

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For …

May 26, 2026
CVE-2026-25901
6.1 MEDIUM

Lack of output escaping leads to a XSS vector in the multilingual associations component.

May 26, 2026
CVE-2026-25900
6.1 MEDIUM

Lack of output escaping leads to a XSS vector in the feed modules.

May 26, 2026
CVE-2026-24212
7.5 HIGH

NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to …

May 26, 2026
CVE-2026-24162
7.8 HIGH

NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead …

May 26, 2026
CVE-2025-36221
5.3 MEDIUM

IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from …

May 26, 2026
CVE-2025-36220
4.3 MEDIUM

IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A …

May 26, 2026
CVE-2025-36148
5.4 MEDIUM

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows …

May 26, 2026
CVE-2025-36145
5.4 MEDIUM

IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files …

May 26, 2026
CVE-2025-36126
6.4 MEDIUM

IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. …

May 26, 2026
CVE-2025-14290
5.4 MEDIUM

IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow …

May 26, 2026
CVE-2025-13755
5.5 MEDIUM

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files …

May 26, 2026
CVE-2026-48692
8.1 HIGH

FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line …

May 26, 2026
CVE-2026-48688
7.5 HIGH

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment …

May 26, 2026
CVE-2026-48687
9.8 CRITICAL

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs …

May 26, 2026
CVE-2026-48686
9.8 CRITICAL

FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads …

May 26, 2026
CVE-2026-48685
6.5 MEDIUM

FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the …

May 26, 2026
CVE-2026-48684
6.5 MEDIUM

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) …

May 26, 2026
CVE-2026-48683
6.5 MEDIUM

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template branch (lines 1695-1702) …

May 26, 2026
CVE-2026-46620
6.5 MEDIUM

e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem …

May 26, 2026
CVE-2026-43936
4.3 MEDIUM

e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from …

May 26, 2026
CVE-2026-43935
8.1 HIGH

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the …

May 26, 2026
CVE-2026-43934
6.5 MEDIUM

e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to …

May 26, 2026
CVE-2026-40564
6.5 MEDIUM

Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so …

May 26, 2026
CVE-2026-38587
4.3 MEDIUM

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated …

May 26, 2026
CVE-2026-25112
7.8 HIGH

A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack.

May 26, 2026
CVE-2026-9552
7.3 HIGH

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The …

May 26, 2026
CVE-2026-9551
7.3 HIGH

A vulnerability was identified in Das Parking Management System 停车场管理系统 6.2.0. This affects the function xp_cmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. …

May 26, 2026
CVE-2026-9550
7.3 HIGH

A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of …

May 26, 2026
CVE-2026-4480
8.5 HIGH

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting …

May 26, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.