CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-8679
7.5 HIGH

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() …

May 22, 2026
CVE-2026-8381
5.4 MEDIUM

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, …

May 22, 2026
CVE-2026-7798
5.4 MEDIUM

The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery …

May 22, 2026
CVE-2026-7636
4.3 MEDIUM

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and …

May 22, 2026
CVE-2026-7615
4.3 MEDIUM

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing …

May 22, 2026
CVE-2026-5072
6.5 MEDIUM

A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted …

May 22, 2026
CVE-2026-9104
6.4 MEDIUM

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due …

May 22, 2026
CVE-2026-9018
8.8 HIGH

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, …

May 22, 2026
CVE-2026-7509
6.4 MEDIUM

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up …

May 22, 2026
CVE-2026-7249
4.3 MEDIUM

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in …

May 22, 2026
CVE-2026-6864
6.1 MEDIUM

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, …

May 22, 2026
CVE-2026-4070
4.3 MEDIUM

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due …

May 22, 2026
CVE-2026-44409
5.7 MEDIUM

There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, …

May 22, 2026
CVE-2026-3481
6.1 MEDIUM

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This …

May 22, 2026
CVE-2026-2518
4.3 MEDIUM

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions …

May 22, 2026
CVE-2026-9054

An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic.

May 22, 2026
CVE-2026-9053

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default …

May 22, 2026
CVE-2026-4834
7.5 HIGH

The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This …

May 22, 2026
CVE-2026-46598
5.3 MEDIUM

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

May 22, 2026
CVE-2026-46597
7.5 HIGH

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

May 22, 2026
CVE-2026-46595
10.0 CRITICAL

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the …

May 22, 2026
CVE-2026-42508
9.1 CRITICAL

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

May 22, 2026
CVE-2026-39835
5.3 MEDIUM

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a …

May 22, 2026
CVE-2026-39834
9.1 CRITICAL

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused …

May 22, 2026
CVE-2026-39833
9.1 CRITICAL

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, …

May 22, 2026
CVE-2026-39832
9.1 CRITICAL

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when …

May 22, 2026
CVE-2026-39831
9.1 CRITICAL

The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing …

May 22, 2026
CVE-2026-39830
9.1 CRITICAL

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not …

May 22, 2026
CVE-2026-39829
7.5 HIGH

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or …

May 22, 2026
CVE-2026-39828
6.3 MEDIUM

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a …

May 22, 2026
CVE-2026-39827
6.5 MEDIUM

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting …

May 22, 2026
CVE-2026-9264
9.3 CRITICAL

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The …

May 22, 2026
CVE-2026-34911
7.7 HIGH

A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files …

May 22, 2026
CVE-2026-34910
10.0 CRITICAL KEV

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

May 22, 2026
CVE-2026-34909
10.0 CRITICAL KEV

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying …

May 22, 2026
CVE-2026-34908
10.0 CRITICAL KEV

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to …

May 22, 2026
CVE-2026-33000
9.1 CRITICAL

A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute …

May 22, 2026
CVE-2026-5297

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

May 21, 2026
CVE-2026-8435
6.5 MEDIUM

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a …

May 21, 2026
CVE-2026-8434
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a …

May 21, 2026
CVE-2026-8433
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a …

May 21, 2026
CVE-2026-8432
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a …

May 21, 2026
CVE-2026-8427
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a …

May 21, 2026
CVE-2026-8416
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a …

May 21, 2026
CVE-2026-8415
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS …

May 21, 2026
CVE-2026-8414
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS …

May 21, 2026
CVE-2026-8413
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS …

May 21, 2026
CVE-2026-8412
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS …

May 21, 2026
CVE-2026-8411
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS …

May 21, 2026
CVE-2026-8410
8.8 HIGH

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a …

May 21, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.