CVE Database

109287+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-37428
6.5 MEDIUM

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access …

May 13, 2026
CVE-2026-6177
7.2 HIGH

The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient …

May 13, 2026
CVE-2026-42961
4.3 MEDIUM

ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while …

May 13, 2026
CVE-2026-42950
4.3 MEDIUM

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged …

May 13, 2026
CVE-2026-42948
4.8 MEDIUM

Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be …

May 13, 2026
CVE-2026-42062
9.8 CRITICAL

ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command …

May 13, 2026
CVE-2026-40621
9.8 CRITICAL

ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.

May 13, 2026
CVE-2026-3426
4.3 MEDIUM

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() …

May 13, 2026
CVE-2026-3425
8.8 HIGH

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' …

May 13, 2026
CVE-2026-35506
7.2 HIGH

ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a …

May 13, 2026
CVE-2026-25107
6.5 MEDIUM

ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can …

May 13, 2026
CVE-2026-7168
5.3 MEDIUM

Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second …

May 13, 2026
CVE-2026-7009
5.3 MEDIUM

When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is …

May 13, 2026
CVE-2026-6429
5.3 MEDIUM

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host …

May 13, 2026
CVE-2026-6276
7.5 HIGH

Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy …

May 13, 2026
CVE-2026-6253
5.9 MEDIUM

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl …

May 13, 2026
CVE-2026-5773
7.5 HIGH

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse …

May 13, 2026
CVE-2026-5545
6.5 MEDIUM

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the …

May 13, 2026
CVE-2026-4873
5.9 MEDIUM

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made …

May 13, 2026
CVE-2026-4798
7.5 HIGH

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due …

May 13, 2026
CVE-2026-4782
6.5 MEDIUM

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with …

May 13, 2026
CVE-2026-44931

The newly introduced RecordUsage D-Bus method https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c in malcontent-timerd allows arbitrary users in the system to slowly fill up disk space in /var/lib/malcontent-timerd

May 13, 2026
CVE-2026-41051
5.0 MEDIUM

csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.

May 13, 2026
CVE-2026-2515
5.3 MEDIUM

The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check …

May 13, 2026
CVE-2026-25710

The new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in …

May 13, 2026
CVE-2024-47091

Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a …

May 13, 2026
CVE-2026-41050
9.9 CRITICAL

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to …

May 13, 2026
CVE-2026-3004
6.4 MEDIUM

The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 …

May 13, 2026
CVE-2026-25705
8.4 HIGH

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside …

May 13, 2026
CVE-2025-14767
5.5 MEDIUM

The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all …

May 13, 2026
CVE-2026-6965
5.3 MEDIUM

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including …

May 13, 2026
CVE-2026-6929
7.5 HIGH

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' …

May 13, 2026
CVE-2026-44612
7.8 HIGH

Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when …

May 13, 2026
CVE-2026-32661
9.8 CRITICAL

Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially crafted request to …

May 13, 2026
CVE-2026-2725

Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch …

May 13, 2026
CVE-2026-21024

Improper privilege management in Samsung System Support Service prior to version 8.0.8.0 allows local attackers to trigger privileged functions.

May 13, 2026
CVE-2026-21022
5.5 MEDIUM

Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.

May 13, 2026
CVE-2026-21021
6.8 MEDIUM

Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.

May 13, 2026
CVE-2026-21020
7.8 HIGH

Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.

May 13, 2026
CVE-2026-21019

Improper input validation in FacAtFunction in Galaxy Watch prior to SMR May-2026 Release 1 allows local attacker to execute arbitrary code with system privilege.

May 13, 2026
CVE-2026-21018
6.7 MEDIUM

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.

May 13, 2026
CVE-2026-21016
5.5 MEDIUM

Incorrect privilege assignment in LocationManager prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.

May 13, 2026
CVE-2026-21015
5.5 MEDIUM

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.

May 13, 2026
CVE-2025-14033
5.3 MEDIUM

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' …

May 13, 2026
CVE-2025-11159
9.1 CRITICAL

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when …

May 13, 2026
CVE-2026-7635
8.1 HIGH

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is …

May 13, 2026
CVE-2026-7619
6.5 MEDIUM

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the …

May 13, 2026
CVE-2026-7051
5.4 MEDIUM

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This …

May 13, 2026
CVE-2026-6962
6.4 MEDIUM

The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and …

May 13, 2026
CVE-2026-6828
6.4 MEDIUM

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' …

May 13, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.