CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-1659
7.5 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2026-1338
4.3 MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2026-1322
6.8 MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2026-1184
6.5 MEDIUM

GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2025-15345
6.1 MEDIUM

The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all …

May 14, 2026
CVE-2025-14870
7.5 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2025-14869
7.5 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2025-13874
4.3 MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2025-12669
5.4 MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have …

May 14, 2026
CVE-2026-7648
4.3 MEDIUM

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all …

May 14, 2026
CVE-2026-7525
4.3 MEDIUM

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is …

May 14, 2026
CVE-2026-5361
6.4 MEDIUM

The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This …

May 14, 2026
CVE-2026-5486
6.5 MEDIUM

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up …

May 14, 2026
CVE-2026-46446
7.1 HIGH

SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in …

May 14, 2026
CVE-2026-46445
7.1 HIGH

SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

May 14, 2026
CVE-2026-46419
7.5 HIGH

Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.

May 14, 2026
CVE-2026-44919
4.3 MEDIUM

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

May 14, 2026
CVE-2026-41281
4.8 MEDIUM

Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications …

May 14, 2026
CVE-2026-8500
9.8 CRITICAL

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The …

May 13, 2026
CVE-2026-32991
7.1 HIGH

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

May 13, 2026
CVE-2026-29206
8.1 HIGH

Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.

May 13, 2026
CVE-2026-45158
9.1 CRITICAL

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, …

May 13, 2026
CVE-2026-44478
7.5 HIGH

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and …

May 13, 2026
CVE-2026-44471
7.8 HIGH

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, …

May 13, 2026
CVE-2026-44448
5.9 MEDIUM

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing …

May 13, 2026
CVE-2026-44447
8.8 HIGH

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, …

May 13, 2026
CVE-2026-44446
8.8 HIGH

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially …

May 13, 2026
CVE-2026-44445
6.5 MEDIUM

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference …

May 13, 2026
CVE-2026-44442
9.9 CRITICAL

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to …

May 13, 2026
CVE-2026-44441
5.0 MEDIUM

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to …

May 13, 2026
CVE-2026-44440
6.5 MEDIUM

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted …

May 13, 2026
CVE-2026-44439

PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. …

May 13, 2026
CVE-2026-44437

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the …

May 13, 2026
CVE-2026-44426
6.5 MEDIUM

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), …

May 13, 2026
CVE-2026-44425
5.4 MEDIUM

ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property …

May 13, 2026
CVE-2026-44424
6.5 MEDIUM

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the …

May 13, 2026
CVE-2026-44423
6.5 MEDIUM

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's …

May 13, 2026
CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create …

May 13, 2026
CVE-2026-44195
5.3 MEDIUM

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously …

May 13, 2026
CVE-2026-44194
9.1 CRITICAL

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a …

May 13, 2026
CVE-2026-44193
9.1 CRITICAL

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote …

May 13, 2026
CVE-2026-42463
8.1 HIGH

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) …

May 13, 2026
CVE-2026-40328

Rejected reason: This CVE is a duplicate of another CVE.

May 13, 2026
CVE-2026-40327

Rejected reason: This CVE is a duplicate of another CVE.

May 13, 2026
CVE-2026-32993
8.3 HIGH

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

May 13, 2026
CVE-2026-32992
8.2 HIGH

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.

May 13, 2026
CVE-2026-29205
8.6 HIGH

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

May 13, 2026
CVE-2026-8328

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual …

May 13, 2026
CVE-2026-45714
9.1 CRITICAL

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, …

May 13, 2026
CVE-2026-45708
7.2 HIGH

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. …

May 13, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.