CVE Database

109208+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-32749
5.3 MEDIUM

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, …

May 22, 2026
CVE-2025-32747
5.3 MEDIUM

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to …

May 22, 2026
CVE-2025-32746
4.0 MEDIUM

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading …

May 22, 2026
CVE-2025-32745
4.2 MEDIUM

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to …

May 22, 2026
CVE-2025-26483
6.1 MEDIUM

Dell PowerFlex Manager, versions 4.6.2 and prior, contains an Open Redirect Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability, leading to a targeted application …

May 22, 2026
CVE-2026-44930
9.8 CRITICAL

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from …

May 22, 2026
CVE-2026-44618
5.3 MEDIUM

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 …

May 22, 2026
CVE-2026-44417
7.5 HIGH

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead …

May 22, 2026
CVE-2026-5755
6.5 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in …

May 22, 2026
CVE-2026-5740
7.5 HIGH

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which …

May 22, 2026
CVE-2026-5308
4.9 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints …

May 22, 2026
CVE-2026-4646
4.3 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows …

May 22, 2026
CVE-2026-4635
6.5 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows …

May 22, 2026
CVE-2026-3636
4.3 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to …

May 22, 2026
CVE-2026-3473
5.9 MEDIUM

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an …

May 22, 2026
CVE-2026-25608

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such …

May 22, 2026
CVE-2026-25607

Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known …

May 22, 2026
CVE-2026-25606

A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. …

May 22, 2026
CVE-2026-9011
7.5 HIGH

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. …

May 22, 2026
CVE-2026-8692
4.3 MEDIUM

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all …

May 22, 2026
CVE-2026-8684
5.3 MEDIUM

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the …

May 22, 2026
CVE-2026-8679
7.5 HIGH

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() …

May 22, 2026
CVE-2026-8381
5.4 MEDIUM

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, …

May 22, 2026
CVE-2026-7798
5.4 MEDIUM

The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery …

May 22, 2026
CVE-2026-7636
4.3 MEDIUM

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and …

May 22, 2026
CVE-2026-7615
4.3 MEDIUM

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing …

May 22, 2026
CVE-2026-5072
6.5 MEDIUM

A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted …

May 22, 2026
CVE-2026-9104
6.4 MEDIUM

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due …

May 22, 2026
CVE-2026-9018
8.8 HIGH

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, …

May 22, 2026
CVE-2026-7509
6.4 MEDIUM

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up …

May 22, 2026
CVE-2026-7249
4.3 MEDIUM

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in …

May 22, 2026
CVE-2026-6864
6.1 MEDIUM

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, …

May 22, 2026
CVE-2026-4070
4.3 MEDIUM

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due …

May 22, 2026
CVE-2026-44409
5.7 MEDIUM

There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, …

May 22, 2026
CVE-2026-3481
6.1 MEDIUM

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This …

May 22, 2026
CVE-2026-2518
4.3 MEDIUM

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions …

May 22, 2026
CVE-2026-9054

An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic.

May 22, 2026
CVE-2026-9053

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default …

May 22, 2026
CVE-2026-4834
7.5 HIGH

The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This …

May 22, 2026
CVE-2026-46598
5.3 MEDIUM

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

May 22, 2026
CVE-2026-46597
7.5 HIGH

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

May 22, 2026
CVE-2026-46595
10.0 CRITICAL

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the …

May 22, 2026
CVE-2026-42508
9.1 CRITICAL

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

May 22, 2026
CVE-2026-39835
5.3 MEDIUM

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a …

May 22, 2026
CVE-2026-39834
9.1 CRITICAL

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused …

May 22, 2026
CVE-2026-39833
9.1 CRITICAL

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, …

May 22, 2026
CVE-2026-39832
9.1 CRITICAL

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when …

May 22, 2026
CVE-2026-39831
9.1 CRITICAL

The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing …

May 22, 2026
CVE-2026-39830
9.1 CRITICAL

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not …

May 22, 2026
CVE-2026-39829
7.5 HIGH

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or …

May 22, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.