CVE Database

109208+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-42627
6.2 MEDIUM

In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn/Tensor.cpp allows a crafted TFLite model file to bypass buffer size validation and trigger …

May 22, 2026
CVE-2026-39965
7.7 HIGH

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block …

May 22, 2026
CVE-2026-39964
5.4 MEDIUM

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering …

May 22, 2026
CVE-2026-9255
7.8 HIGH

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, …

May 22, 2026
CVE-2026-42626
5.9 MEDIUM

HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 (JetDirect/RAW printing). An unauthenticated remote attacker on the same …

May 22, 2026
CVE-2026-37470
7.3 HIGH

An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers …

May 22, 2026
CVE-2026-36228
7.3 HIGH

Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality

May 22, 2026
CVE-2026-36227
6.5 MEDIUM

Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter

May 22, 2026
CVE-2026-36226
6.1 MEDIUM

Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project …

May 22, 2026
CVE-2026-34207
7.6 HIGH

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked …

May 22, 2026
CVE-2026-33712
10.0 CRITICAL

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery …

May 22, 2026
CVE-2026-32253
9.8 CRITICAL

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification …

May 22, 2026
CVE-2026-28735
5.4 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which …

May 22, 2026
CVE-2026-28445
8.7 HIGH

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via …

May 22, 2026
CVE-2026-28444
6.5 MEDIUM

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs …

May 22, 2026
CVE-2026-9251
5.4 MEDIUM

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain …

May 22, 2026
CVE-2026-9249
3.1 LOW

Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. …

May 22, 2026
CVE-2026-9248
2.6 LOW

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments …

May 22, 2026
CVE-2026-9247
2.4 LOW

Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the …

May 22, 2026
CVE-2026-9246
4.3 MEDIUM

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation …

May 22, 2026
CVE-2026-9245
5.0 MEDIUM

Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via …

May 22, 2026
CVE-2026-9224
4.3 MEDIUM

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a …

May 22, 2026
CVE-2026-9223
4.3 MEDIUM

Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted …

May 22, 2026
CVE-2026-9047
7.6 HIGH

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to …

May 22, 2026
CVE-2026-8477
2.7 LOW

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry …

May 22, 2026
CVE-2026-7325
7.1 HIGH

Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM …

May 22, 2026
CVE-2026-5171
4.3 MEDIUM

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required …

May 22, 2026
CVE-2026-42506
6.1 MEDIUM

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in …

May 22, 2026
CVE-2026-42502
6.1 MEDIUM

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in …

May 22, 2026
CVE-2026-39821
9.6 CRITICAL

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than …

May 22, 2026
CVE-2026-27136
6.1 MEDIUM

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in …

May 22, 2026
CVE-2026-25681
6.1 MEDIUM

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in …

May 22, 2026
CVE-2026-25680
6.5 MEDIUM

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

May 22, 2026
CVE-2022-34363
6.5 MEDIUM

Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp

May 22, 2026
CVE-2022-31231
5.9 MEDIUM

Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially …

May 22, 2026
CVE-2026-9256
8.1 HIGH

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with …

May 22, 2026
CVE-2026-8992
8.8 HIGH

An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.

May 22, 2026
CVE-2026-8353
4.8 MEDIUM

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript …

May 22, 2026
CVE-2026-8347
4.3 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only …

May 22, 2026
CVE-2026-8340
4.3 MEDIUM

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to …

May 22, 2026
CVE-2025-46371
3.6 LOW

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the ssh. A low privileged attacker with local …

May 22, 2026
CVE-2025-45145
7.5 HIGH

Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via …

May 22, 2026
CVE-2025-32751
5.5 MEDIUM

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, …

May 22, 2026
CVE-2021-21508
6.7 MEDIUM

Dell VxRail versions before 7.0.200 contain a Plain-text Password Storage Vulnerability in VxRail Manager. A sys-admin user may exploit this vulnerability, leading to the disclosure …

May 22, 2026
CVE-2026-9277
8.1 HIGH

shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, …

May 22, 2026
CVE-2026-8997

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application …

May 22, 2026
CVE-2026-8673
5.9 MEDIUM

Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0.

May 22, 2026
CVE-2026-8672
5.1 MEDIUM

Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: …

May 22, 2026
CVE-2026-8671
7.5 HIGH

Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure. This issue affects Avantra: before …

May 22, 2026
CVE-2026-8670
9.6 CRITICAL

Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1.

May 22, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.