CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-40460
6.5 MEDIUM

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP …

May 13, 2026
CVE-2026-40435
5.3 MEDIUM

When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses. Note: Software versions which have reached …

May 13, 2026
CVE-2026-40423
7.5 HIGH

When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which …

May 13, 2026
CVE-2026-40067
7.5 HIGH

When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. Note: Software versions which …

May 13, 2026
CVE-2026-40061
8.7 HIGH

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker …

May 13, 2026
CVE-2026-40060
7.5 HIGH

When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. Note: …

May 13, 2026
CVE-2026-39459
7.2 HIGH

A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create …

May 13, 2026
CVE-2026-39458
7.5 HIGH

When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to …

May 13, 2026
CVE-2026-39455
7.5 HIGH

When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the …

May 13, 2026
CVE-2026-36742
6.8 MEDIUM

Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions. The UART bootloader is accessible when battery is disconnected (hidden/debug mode).

May 13, 2026
CVE-2026-36741
7.2 HIGH

U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied …

May 13, 2026
CVE-2026-36738
6.8 MEDIUM

U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Incorrect Access Control. The device exposes a UART interface that lacks authentication, authorization, or …

May 13, 2026
CVE-2026-35062
6.5 MEDIUM

An authenticated iControl SOAP user may be able to obtain information of other accounts. Note: Software versions which have reached End of Technical Support (EoTS) …

May 13, 2026
CVE-2026-34176
8.7 HIGH

When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker …

May 13, 2026
CVE-2026-34019
5.3 MEDIUM

When Bidirectional Forwarding Detection (BFD) is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to stop processing …

May 13, 2026
CVE-2026-32673
8.7 HIGH

A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands …

May 13, 2026
CVE-2026-32643
8.7 HIGH

A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects …

May 13, 2026
CVE-2026-31156
6.5 MEDIUM

A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path …

May 13, 2026
CVE-2026-28758
4.4 MEDIUM

When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the …

May 13, 2026
CVE-2026-24464
6.8 MEDIUM

When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role …

May 13, 2026
CVE-2026-20916
8.1 HIGH

An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. Note: …

May 13, 2026
CVE-2025-32425

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. In AutoGPT, the execution process …

May 13, 2026
CVE-2025-29338
5.6 MEDIUM

NXP moal.ko Wi-Fi driver 5.1.7.10 FW version from v17.92.1.p149.43 To v17.92.1.p149.157 was discovered to contain a buffer overflow via the mod_para parameter in the woal_init_module_param …

May 13, 2026
CVE-2025-28344
7.5 HIGH

striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function AuxJack.

May 13, 2026
CVE-2025-28343
7.5 HIGH

striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function ThreadReadButtons.

May 13, 2026
CVE-2024-55045
7.3 HIGH

Firmament-Autopilot FMT-Firmware commit de5aec was discovered to contain a buffer overflow via the task_mavobc_entry function at /comm/task_comm.c.

May 13, 2026
CVE-2024-51395
6.2 MEDIUM

Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_SmartAudio::loop, AP_SmartAudio, AP_SmartAudio.cpp components.

May 13, 2026
CVE-2024-51394
5.5 MEDIUM

Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_MSP::loop, AP_MSP, AP_MSP.cpp components.

May 13, 2026
CVE-2020-37226
7.1 HIGH

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' …

May 13, 2026
CVE-2020-37225
6.4 MEDIUM

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in …

May 13, 2026
CVE-2020-37224
7.1 HIGH

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' …

May 13, 2026
CVE-2020-37223
7.8 HIGH

IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can …

May 13, 2026
CVE-2020-37222
7.2 HIGH

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs …

May 13, 2026
CVE-2020-37221
8.4 HIGH

Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display …

May 13, 2026
CVE-2020-37220
7.5 HIGH

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can …

May 13, 2026
CVE-2020-37219
7.5 HIGH

Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET …

May 13, 2026
CVE-2020-37218
8.2 HIGH

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code …

May 13, 2026
CVE-2020-37217
4.3 MEDIUM

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers …

May 13, 2026
CVE-2020-37174
5.5 MEDIUM

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in …

May 13, 2026
CVE-2020-37169
5.5 MEDIUM

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. …

May 13, 2026
CVE-2020-37168
9.8 CRITICAL

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. …

May 13, 2026
CVE-2026-8463
5.3 MEDIUM

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes …

May 13, 2026
CVE-2026-8369

Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 …

May 13, 2026
CVE-2026-4609
7.1 HIGH

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user …

May 13, 2026
CVE-2026-4608
6.5 MEDIUM

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up …

May 13, 2026
CVE-2026-4607
4.3 MEDIUM

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This …

May 13, 2026
CVE-2026-39806

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates …

May 13, 2026
CVE-2026-39803

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 …

May 13, 2026
CVE-2026-37430
7.3 HIGH

An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.

May 13, 2026
CVE-2026-37429
6.5 MEDIUM

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access …

May 13, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.