CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-45229
8.8 HIGH

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an …

May 13, 2026
CVE-2026-45228
5.4 MEDIUM

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html …

May 13, 2026
CVE-2026-45055
8.1 HIGH

CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no …

May 13, 2026
CVE-2026-45054
4.9 MEDIUM

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled …

May 13, 2026
CVE-2026-45053
9.1 CRITICAL

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) …

May 13, 2026
CVE-2026-44418

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly …

May 13, 2026
CVE-2026-44381
5.3 MEDIUM

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters …

May 13, 2026
CVE-2026-44380
7.2 HIGH

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed …

May 13, 2026
CVE-2026-44379
5.3 MEDIUM

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid …

May 13, 2026
CVE-2026-44377
9.1 CRITICAL

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates …

May 13, 2026
CVE-2026-44376
6.1 MEDIUM

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic …

May 13, 2026
CVE-2026-44373
5.3 MEDIUM

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in …

May 13, 2026
CVE-2026-44372

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect …

May 13, 2026
CVE-2026-44368

PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose …

May 13, 2026
CVE-2026-42602
8.1 HIGH

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure …

May 13, 2026
CVE-2026-42561
7.5 HIGH

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing …

May 13, 2026
CVE-2026-42304
7.5 HIGH

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) …

May 13, 2026
CVE-2026-39428
4.8 MEDIUM

CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can …

May 13, 2026
CVE-2026-39358
7.2 HIGH

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and …

May 13, 2026
CVE-2026-21821
8.3 HIGH

The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no …

May 13, 2026
CVE-2025-27853
7.3 HIGH

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only …

May 13, 2026
CVE-2025-27852
5.0 MEDIUM

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an …

May 13, 2026
CVE-2025-27851
9.3 CRITICAL

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the …

May 13, 2026
CVE-2025-27850
7.5 HIGH

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks …

May 13, 2026
CVE-2026-44364

MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in …

May 13, 2026
CVE-2026-44363

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed …

May 13, 2026
CVE-2026-44351
9.1 CRITICAL

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to …

May 13, 2026
CVE-2026-42552
7.5 HIGH

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace …

May 13, 2026
CVE-2026-42551
7.5 HIGH

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including …

May 13, 2026
CVE-2026-42550
8.8 HIGH

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys …

May 13, 2026
CVE-2026-42549
4.4 MEDIUM

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied …

May 13, 2026
CVE-2026-42548

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that …

May 13, 2026
CVE-2026-33381
5.9 MEDIUM

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds …

May 13, 2026
CVE-2026-33380
6.3 MEDIUM

A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle …

May 13, 2026
CVE-2026-33378
6.5 MEDIUM

Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to …

May 13, 2026
CVE-2026-33377
7.1 HIGH

An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the …

May 13, 2026
CVE-2026-33376
7.4 HIGH

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate …

May 13, 2026
CVE-2026-28383
6.5 MEDIUM

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can …

May 13, 2026
CVE-2026-28380
6.5 MEDIUM

Any Editor could delete any snapshot, even if they have no access to read or write them.

May 13, 2026
CVE-2026-28379
6.5 MEDIUM

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal …

May 13, 2026
CVE-2026-28376
6.5 MEDIUM

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory …

May 13, 2026
CVE-2026-28374
4.3 MEDIUM

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

May 13, 2026
CVE-2026-0243

A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma …

May 13, 2026
CVE-2026-8496
6.1 MEDIUM

A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated …

May 13, 2026
CVE-2026-8466

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in …

May 13, 2026
CVE-2026-44248
5.3 MEDIUM

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any …

May 13, 2026
CVE-2026-43970

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes …

May 13, 2026
CVE-2026-42587
7.5 HIGH

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent …

May 13, 2026
CVE-2026-42586
6.8 MEDIUM

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to …

May 13, 2026
CVE-2026-42585
6.5 MEDIUM

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is …

May 13, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.