CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-23998
7.5 HIGH

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed …

May 14, 2026
CVE-2026-22707
5.4 MEDIUM

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the …

May 14, 2026
CVE-2026-22706
6.5 MEDIUM

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the …

May 14, 2026
CVE-2026-22599
7.2 HIGH

Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.x branch prior to …

May 14, 2026
CVE-2025-64526
5.3 MEDIUM

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit …

May 14, 2026
CVE-2026-6332

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code …

May 14, 2026
CVE-2026-46470
4.0 MEDIUM

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data …

May 14, 2026
CVE-2026-46469
4.0 MEDIUM

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data …

May 14, 2026
CVE-2026-44544

gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the …

May 14, 2026
CVE-2026-44542
9.1 CRITICAL

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior …

May 14, 2026
CVE-2026-44520
5.7 MEDIUM

Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py …

May 14, 2026
CVE-2026-44283
0.0 NONE

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read …

May 14, 2026
CVE-2026-42897
8.1 HIGH KEV

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

May 14, 2026
CVE-2026-42598

Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from …

May 14, 2026
CVE-2026-42572
5.3 MEDIUM

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET …

May 14, 2026
CVE-2026-42334
7.5 HIGH

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing …

May 14, 2026
CVE-2026-41888
6.5 MEDIUM

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: …

May 14, 2026
CVE-2026-41615
9.6 CRITICAL

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

May 14, 2026
CVE-2025-15024
8.8 HIGH

Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System …

May 14, 2026
CVE-2025-15023
8.8 HIGH

Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control …

May 14, 2026
CVE-2026-6923
3.8 LOW

A side-channel attack, which requires a physical presence to the TPM, can lead to extraction of an Elliptic Curve Diffie-Hellman (ECDH) key.

May 14, 2026
CVE-2026-45448
4.3 MEDIUM

CWE-601 URL redirection to untrusted site ('open redirect')

May 14, 2026
CVE-2026-44827
8.8 HIGH

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines …

May 14, 2026
CVE-2026-44516
7.6 HIGH

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP …

May 14, 2026
CVE-2026-44515

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the …

May 14, 2026
CVE-2026-44514
6.5 MEDIUM

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on …

May 14, 2026
CVE-2026-44513
8.8 HIGH

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user …

May 14, 2026
CVE-2026-44511
7.4 HIGH

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user …

May 14, 2026
CVE-2026-44348
2.5 LOW

PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf …

May 14, 2026
CVE-2026-44312
5.8 MEDIUM

css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker …

May 14, 2026
CVE-2026-42555
9.1 CRITICAL

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to …

May 14, 2026
CVE-2026-20224
8.6 HIGH

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that …

May 14, 2026
CVE-2026-20210
5.4 MEDIUM

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to modify …

May 14, 2026
CVE-2026-20209
5.4 MEDIUM

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate …

May 14, 2026
CVE-2026-20182
10.0 CRITICAL KEV

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February …

May 14, 2026
CVE-2025-62317
2.6 LOW

HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through …

May 14, 2026
CVE-2025-62316
2.3 LOW

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness …

May 14, 2026
CVE-2025-62313
5.4 MEDIUM

HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to …

May 14, 2026
CVE-2025-62312
3.0 LOW

HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential …

May 14, 2026
CVE-2025-62311
4.3 MEDIUM

HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential …

May 14, 2026
CVE-2025-62310
5.4 MEDIUM

HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential …

May 14, 2026
CVE-2025-62309
2.6 LOW

HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in …

May 14, 2026
CVE-2025-62308
5.1 MEDIUM

HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or …

May 14, 2026
CVE-2025-62305
5.1 MEDIUM

HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may …

May 14, 2026
CVE-2026-44504

Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. …

May 14, 2026
CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host …

May 14, 2026
CVE-2026-44501
4.3 MEDIUM

DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC …

May 14, 2026
CVE-2026-42597
5.9 MEDIUM

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium …

May 14, 2026
CVE-2026-42596
9.4 CRITICAL

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. …

May 14, 2026
CVE-2026-42595
8.6 HIGH

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The …

May 14, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.