CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-9405
9.8 CRITICAL

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. …

May 25, 2026
CVE-2026-9404
9.8 CRITICAL

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation …

May 24, 2026
CVE-2026-9388
9.8 CRITICAL

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management …

May 24, 2026
CVE-2026-9387
9.8 CRITICAL

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component Web …

May 24, 2026
CVE-2026-9386
9.8 CRITICAL

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation …

May 24, 2026
CVE-2026-9385
9.8 CRITICAL

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This …

May 24, 2026
CVE-2026-9384
9.8 CRITICAL

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The …

May 24, 2026
CVE-2018-25357
9.8 CRITICAL

Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name …

May 23, 2026
CVE-2018-25350
9.8 CRITICAL

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can …

May 23, 2026
CVE-2026-47280
10.0 CRITICAL

Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.

May 22, 2026
CVE-2026-42901
10.0 CRITICAL

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

May 22, 2026
CVE-2026-41104
10.0 CRITICAL

Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.

May 22, 2026
CVE-2026-41090
9.3 CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

May 22, 2026
CVE-2026-40412
10.0 CRITICAL

Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.

May 22, 2026
CVE-2026-40411
9.9 CRITICAL

Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.

May 22, 2026
CVE-2026-33843
9.1 CRITICAL

Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.

May 22, 2026
CVE-2026-23652
10.0 CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

May 22, 2026
CVE-2026-33712
10.0 CRITICAL

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery …

May 22, 2026
CVE-2026-32253
9.8 CRITICAL

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification …

May 22, 2026
CVE-2026-39821
9.6 CRITICAL

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than …

May 22, 2026
CVE-2026-8670
9.6 CRITICAL

Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1.

May 22, 2026
CVE-2026-44930
9.8 CRITICAL

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from …

May 22, 2026
CVE-2026-46595
10.0 CRITICAL

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the …

May 22, 2026
CVE-2026-42508
9.1 CRITICAL

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

May 22, 2026
CVE-2026-39834
9.1 CRITICAL

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused …

May 22, 2026
CVE-2026-39833
9.1 CRITICAL

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, …

May 22, 2026
CVE-2026-39832
9.1 CRITICAL

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when …

May 22, 2026
CVE-2026-39831
9.1 CRITICAL

The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing …

May 22, 2026
CVE-2026-39830
9.1 CRITICAL

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not …

May 22, 2026
CVE-2026-9264
9.3 CRITICAL

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The …

May 22, 2026
CVE-2026-34910
10.0 CRITICAL KEV

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

May 22, 2026
CVE-2026-34909
10.0 CRITICAL KEV

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying …

May 22, 2026
CVE-2026-34908
10.0 CRITICAL KEV

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to …

May 22, 2026
CVE-2026-33000
9.1 CRITICAL

A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute …

May 22, 2026
CVE-2026-6960
9.8 CRITICAL

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions …

May 21, 2026
CVE-2026-48207
9.8 CRITICAL

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is …

May 21, 2026
CVE-2026-39531
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This …

May 21, 2026
CVE-2025-71211
9.8 CRITICAL

A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. …

May 21, 2026
CVE-2025-71210
9.8 CRITICAL

A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. …

May 21, 2026
CVE-2026-5118
9.8 CRITICAL

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin …

May 21, 2026
CVE-2026-5433
9.1 CRITICAL

Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in …

May 21, 2026
CVE-2026-44050
9.9 CRITICAL

A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with …

May 21, 2026
CVE-2026-6279
9.8 CRITICAL

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. …

May 21, 2026
CVE-2026-48172
9.8 CRITICAL KEV

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via …

May 21, 2026
CVE-2026-47372
9.1 CRITICAL

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for …

May 20, 2026
CVE-2026-8631
9.8 CRITICAL

A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary …

May 20, 2026
CVE-2026-9141
9.8 CRITICAL

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers …

May 20, 2026
CVE-2026-9139
9.8 CRITICAL

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented …

May 20, 2026
CVE-2026-9082
9.8 CRITICAL KEV

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: …

May 20, 2026
CVE-2026-45444
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files. This issue affects Gift Cards …

May 20, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.