CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-8507
9.8 CRITICAL

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT …

May 17, 2026
CVE-2018-25335
9.8 CRITICAL

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the …

May 17, 2026
CVE-2018-25332
9.8 CRITICAL

GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file …

May 17, 2026
CVE-2018-25320
9.8 CRITICAL

ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Attackers …

May 17, 2026
CVE-2021-47952
9.8 CRITICAL

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. …

May 16, 2026
CVE-2020-37239
9.8 CRITICAL

libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers …

May 16, 2026
CVE-2020-37228
9.8 CRITICAL

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can …

May 16, 2026
CVE-2026-44551
9.1 CRITICAL

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the …

May 15, 2026
CVE-2026-46364
9.8 CRITICAL

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated …

May 15, 2026
CVE-2026-45010
9.1 CRITICAL

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or …

May 15, 2026
CVE-2021-47965
9.8 CRITICAL

WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file …

May 15, 2026
CVE-2026-44774
9.9 CRITICAL

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute …

May 15, 2026
CVE-2026-44717
9.8 CRITICAL

MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical …

May 15, 2026
CVE-2026-41258
9.1 CRITICAL

OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored …

May 15, 2026
CVE-2026-45772
9.8 CRITICAL

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when …

May 15, 2026
CVE-2026-41553
10.0 CRITICAL

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated …

May 15, 2026
CVE-2026-8398
9.8 CRITICAL KEV

A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between …

May 15, 2026
CVE-2026-5229
9.8 CRITICAL

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting …

May 15, 2026
CVE-2026-44212
9.3 CRITICAL

PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office …

May 14, 2026
CVE-2026-8634
9.1 CRITICAL

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets …

May 14, 2026
CVE-2026-8580
9.6 CRITICAL

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML …

May 14, 2026
CVE-2026-8511
9.6 CRITICAL

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML …

May 14, 2026
CVE-2026-26191
9.8 CRITICAL

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to …

May 14, 2026
CVE-2026-45375
9.0 CRITICAL

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json …

May 14, 2026
CVE-2026-44592
9.4 CRITICAL

Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register …

May 14, 2026
CVE-2026-44523
10.0 CRITICAL

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts …

May 14, 2026
CVE-2026-44542
9.1 CRITICAL

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior …

May 14, 2026
CVE-2026-41615
9.6 CRITICAL

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

May 14, 2026
CVE-2026-42555
9.1 CRITICAL

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to …

May 14, 2026
CVE-2026-20182
10.0 CRITICAL KEV

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February …

May 14, 2026
CVE-2026-42596
9.4 CRITICAL

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. …

May 14, 2026
CVE-2026-42589
9.8 CRITICAL

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys …

May 14, 2026
CVE-2026-44482
9.6 CRITICAL

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload …

May 14, 2026
CVE-2026-42457
9.0 CRITICAL

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a …

May 14, 2026
CVE-2026-2347
9.8 CRITICAL

Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001.

May 14, 2026
CVE-2025-11024
9.8 CRITICAL

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL …

May 14, 2026
CVE-2026-6512
9.1 CRITICAL

The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin …

May 14, 2026
CVE-2026-6510
9.8 CRITICAL

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due …

May 14, 2026
CVE-2026-6271
9.8 CRITICAL

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. …

May 14, 2026
CVE-2026-8181
9.8 CRITICAL

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is …

May 14, 2026
CVE-2026-8500
9.8 CRITICAL

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The …

May 13, 2026
CVE-2026-45158
9.1 CRITICAL

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, …

May 13, 2026
CVE-2026-44442
9.9 CRITICAL

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to …

May 13, 2026
CVE-2026-44194
9.1 CRITICAL

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a …

May 13, 2026
CVE-2026-44193
9.1 CRITICAL

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote …

May 13, 2026
CVE-2026-45714
9.1 CRITICAL

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, …

May 13, 2026
CVE-2026-45053
9.1 CRITICAL

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) …

May 13, 2026
CVE-2026-44377
9.1 CRITICAL

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates …

May 13, 2026
CVE-2025-27851
9.3 CRITICAL

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the …

May 13, 2026
CVE-2026-44351
9.1 CRITICAL

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to …

May 13, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.