CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-42032
9.1 CRITICAL

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed …

May 13, 2026
CVE-2026-42031
9.8 CRITICAL

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed …

May 13, 2026
CVE-2026-45411
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an …

May 13, 2026
CVE-2026-44009
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.

May 13, 2026
CVE-2026-44008
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call …

May 13, 2026
CVE-2026-44007
9.1 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless …

May 13, 2026
CVE-2026-44006
10.0 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. …

May 13, 2026
CVE-2026-44005
10.0 CRITICAL

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards …

May 13, 2026
CVE-2026-43999
9.9 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via …

May 13, 2026
CVE-2026-43997
10.0 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use …

May 13, 2026
CVE-2026-41225
9.1 CRITICAL

A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running …

May 13, 2026
CVE-2020-37168
9.8 CRITICAL

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. …

May 13, 2026
CVE-2026-42062
9.8 CRITICAL

ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command …

May 13, 2026
CVE-2026-40621
9.8 CRITICAL

ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.

May 13, 2026
CVE-2026-41050
9.9 CRITICAL

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to …

May 13, 2026
CVE-2026-32661
9.8 CRITICAL

Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially crafted request to …

May 13, 2026
CVE-2025-11159
9.1 CRITICAL

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when …

May 13, 2026
CVE-2026-44547
9.6 CRITICAL

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently …

May 12, 2026
CVE-2026-42288
10.0 CRITICAL

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup …

May 12, 2026
CVE-2026-41901
9.0 CRITICAL

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms …

May 12, 2026
CVE-2026-44262
9.4 CRITICAL

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request …

May 12, 2026
CVE-2026-43948
9.9 CRITICAL

wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using …

May 12, 2026
CVE-2026-42854
9.8 CRITICAL

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 …

May 12, 2026
CVE-2026-45185
9.8 CRITICAL

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends …

May 12, 2026
CVE-2026-44225
9.3 CRITICAL

Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, …

May 12, 2026
CVE-2026-44221
9.0 CRITICAL

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on …

May 12, 2026
CVE-2026-42889
9.1 CRITICAL

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, …

May 12, 2026
CVE-2026-34660
9.3 CRITICAL

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of …

May 12, 2026
CVE-2026-34659
9.6 CRITICAL

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the …

May 12, 2026
CVE-2026-44277
9.8 CRITICAL

A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized …

May 12, 2026
CVE-2026-44196
9.1 CRITICAL

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who …

May 12, 2026
CVE-2026-44183
9.8 CRITICAL

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, …

May 12, 2026
CVE-2026-42898
9.9 CRITICAL

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

May 12, 2026
CVE-2026-42833
9.1 CRITICAL

Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

May 12, 2026
CVE-2026-42823
9.9 CRITICAL

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

May 12, 2026
CVE-2026-42048
9.6 CRITICAL

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases …

May 12, 2026
CVE-2026-41103
9.1 CRITICAL

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.

May 12, 2026
CVE-2026-41096
9.8 CRITICAL

Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.

May 12, 2026
CVE-2026-41089
9.8 CRITICAL

Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.

May 12, 2026
CVE-2026-40402
9.3 CRITICAL

Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.

May 12, 2026
CVE-2026-40379
9.3 CRITICAL

Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.

May 12, 2026
CVE-2026-33117
9.1 CRITICAL

Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.

May 12, 2026
CVE-2026-31242
9.1 CRITICAL

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send …

May 12, 2026
CVE-2026-31239
9.8 CRITICAL

The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() …

May 12, 2026
CVE-2026-31238
9.8 CRITICAL

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve …

May 12, 2026
CVE-2026-31237
9.8 CRITICAL

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the …

May 12, 2026
CVE-2026-31236
9.8 CRITICAL

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to …

May 12, 2026
CVE-2026-31235
9.8 CRITICAL

The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to …

May 12, 2026
CVE-2026-31234
9.8 CRITICAL

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication …

May 12, 2026
CVE-2026-31233
9.8 CRITICAL

Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the …

May 12, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.