CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-47092
7.8 HIGH

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC …

May 18, 2026
CVE-2026-47091
3.3 LOW

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path …

May 18, 2026
CVE-2026-47090
4.6 MEDIUM

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters …

May 18, 2026
CVE-2026-45246
5.5 MEDIUM

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by …

May 18, 2026
CVE-2026-45245
7.4 HIGH

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing …

May 18, 2026
CVE-2026-45244
5.4 MEDIUM

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation …

May 18, 2026
CVE-2026-21789
4.6 MEDIUM

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

May 18, 2026
CVE-2025-65954
6.1 MEDIUM

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout …

May 18, 2026
CVE-2026-8836
9.8 CRITICAL

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing …

May 18, 2026
CVE-2026-45243
6.1 MEDIUM

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation …

May 18, 2026
CVE-2026-45242
7.1 HIGH

Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by …

May 18, 2026
CVE-2026-45231
6.1 MEDIUM

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization …

May 18, 2026
CVE-2026-45495
8.8 HIGH

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

May 18, 2026
CVE-2026-45494
5.4 MEDIUM

Microsoft Edge (Chromium-based) Spoofing Vulnerability

May 18, 2026
CVE-2026-45492
5.4 MEDIUM

Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

May 18, 2026
CVE-2026-45230
9.1 CRITICAL

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files …

May 18, 2026
CVE-2026-42822
10.0 CRITICAL

Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.

May 18, 2026
CVE-2026-32849
5.5 MEDIUM

NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as …

May 18, 2026
CVE-2026-32848
4.7 MEDIUM

NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition …

May 18, 2026
CVE-2026-29965
6.1 MEDIUM

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or …

May 18, 2026
CVE-2026-29964
6.1 MEDIUM

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript …

May 18, 2026
CVE-2026-29963
7.5 HIGH

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to …

May 18, 2026
CVE-2026-29962
7.5 HIGH

HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that …

May 18, 2026
CVE-2023-24215
9.1 CRITICAL

Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.

May 18, 2026
CVE-2026-8843
6.5 MEDIUM

Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will …

May 18, 2026
CVE-2026-45829

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the …

May 18, 2026
CVE-2026-41085
8.8 HIGH

Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain …

May 18, 2026
CVE-2026-38719
6.2 MEDIUM

OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply …

May 18, 2026
CVE-2026-36438
5.3 MEDIUM

An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd

May 18, 2026
CVE-2026-20685
6.5 MEDIUM

An attacker in a privileged network position may be able to leak sensitive information. A path handling issue was addressed with improved validation. This issue …

May 18, 2026
CVE-2025-57282
8.8 HIGH

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.

May 18, 2026
CVE-2025-56352
7.5 HIGH

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while …

May 18, 2026
CVE-2026-41949
5.9 MEDIUM

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 …

May 18, 2026
CVE-2026-41948
7.7 HIGH

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API …

May 18, 2026
CVE-2026-41947
7.4 HIGH

Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless …

May 18, 2026
CVE-2026-39079
7.5 HIGH

An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components

May 18, 2026
CVE-2026-26462
7.3 HIGH

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, …

May 18, 2026
CVE-2026-42009
7.5 HIGH

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator …

May 18, 2026
CVE-2026-8803
3.7 LOW

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of …

May 18, 2026
CVE-2026-7304
9.8 CRITICAL

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be …

May 18, 2026
CVE-2026-7302
9.1 CRITICAL

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write …

May 18, 2026
CVE-2026-7301
9.8 CRITICAL

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when …

May 18, 2026
CVE-2026-0983

Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process …

May 18, 2026
CVE-2026-8802
4.3 MEDIUM

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The …

May 18, 2026
CVE-2026-4320

Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of …

May 18, 2026
CVE-2026-41119
6.8 MEDIUM

Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to …

May 18, 2026
CVE-2026-7498
8.8 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS. …

May 18, 2026
CVE-2026-6902

A Remote Code Execution vulnerability in P4 (Helix Core) Server's Command-Line Client, prior to the 2025.2 Patch 2, has been fixed to address potential security …

May 18, 2026
CVE-2026-6347
7.6 HIGH

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an …

May 18, 2026
CVE-2026-6346
8.7 HIGH

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which …

May 18, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.