CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-23558
7.8 HIGH

The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a …

May 19, 2026
CVE-2026-23557
6.5 MEDIUM

Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built …

May 19, 2026
CVE-2025-40904
6.5 MEDIUM

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited …

May 19, 2026
CVE-2025-40903
5.9 MEDIUM

A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with …

May 19, 2026
CVE-2025-40902
5.9 MEDIUM

A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges …

May 19, 2026
CVE-2025-40901
5.9 MEDIUM

A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative …

May 19, 2026
CVE-2025-40900
4.6 MEDIUM

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges …

May 19, 2026
CVE-2025-14575

An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to …

May 19, 2026
CVE-2026-8912
7.5 HIGH

The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due …

May 19, 2026
CVE-2026-4883
9.8 CRITICAL

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions …

May 19, 2026
CVE-2026-7860

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build …

May 19, 2026
CVE-2026-7571
7.1 HIGH

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable …

May 19, 2026
CVE-2026-7507
7.5 HIGH

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a …

May 19, 2026
CVE-2026-7504
8.1 HIGH

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users …

May 19, 2026
CVE-2026-7307
7.5 HIGH

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. …

May 19, 2026
CVE-2026-4630
6.8 MEDIUM

A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. …

May 19, 2026
CVE-2026-45442
4.3 MEDIUM

Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3.

May 19, 2026
CVE-2026-43493
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAY_BACKLOG requests MAY_BACKLOG requests can return EBUSY. Handle them …

May 19, 2026
CVE-2026-43492

In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() when …

May 19, 2026
CVE-2026-43491

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current code does no bound …

May 19, 2026
CVE-2026-37982
6.8 MEDIUM

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting …

May 19, 2026
CVE-2026-37981
4.3 MEDIUM

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns …

May 19, 2026
CVE-2026-37979
6.5 MEDIUM

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience …

May 19, 2026
CVE-2026-37978
4.9 MEDIUM

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an …

May 19, 2026
CVE-2026-8827

The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension …

May 19, 2026
CVE-2026-8727

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized …

May 19, 2026
CVE-2026-8726

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL …

May 19, 2026
CVE-2026-46725

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload …

May 19, 2026
CVE-2026-46724

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations …

May 19, 2026
CVE-2026-46723

The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can …

May 19, 2026
CVE-2026-46722

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can …

May 19, 2026
CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group …

May 19, 2026
CVE-2026-46586
8.8 HIGH

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects …

May 19, 2026
CVE-2026-45434
9.8 CRITICAL

Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended …

May 19, 2026
CVE-2026-45187
6.5 MEDIUM

Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the …

May 19, 2026
CVE-2026-41919
9.1 CRITICAL

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are …

May 19, 2026
CVE-2026-35086
6.5 MEDIUM

Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended …

May 19, 2026
CVE-2026-31986
9.1 CRITICAL

Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which …

May 19, 2026
CVE-2026-31910
7.5 HIGH

Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes …

May 19, 2026
CVE-2026-31909
7.5 HIGH

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to …

May 19, 2026
CVE-2026-31906
6.1 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to …

May 19, 2026
CVE-2026-31388
5.3 MEDIUM

Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, …

May 19, 2026
CVE-2026-31387
5.3 MEDIUM

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

May 19, 2026
CVE-2026-31380
6.5 MEDIUM

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. …

May 19, 2026
CVE-2026-31379
6.1 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation …

May 19, 2026
CVE-2026-31378
6.5 MEDIUM

Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the …

May 19, 2026
CVE-2026-2611
9.6 CRITICAL

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin …

May 19, 2026
CVE-2026-29226
7.3 HIGH

Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to …

May 19, 2026
CVE-2026-29220
6.5 MEDIUM

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended …

May 19, 2026
CVE-2026-29207
6.5 MEDIUM

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to …

May 19, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.