CVE Database

109356+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-8153
9.8 CRITICAL

OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code …

May 8, 2026
CVE-2026-8076

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system …

May 8, 2026
CVE-2026-3318

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter …

May 8, 2026
CVE-2026-7650
6.4 MEDIUM

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode …

May 8, 2026
CVE-2026-7475
6.4 MEDIUM

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, …

May 8, 2026
CVE-2026-6213

A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root …

May 8, 2026
CVE-2026-5341
6.4 MEDIUM

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, …

May 8, 2026
CVE-2026-7330
7.2 HIGH

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient …

May 8, 2026
CVE-2026-5127
8.8 HIGH

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in …

May 8, 2026
CVE-2026-44928
2.9 LOW

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

May 8, 2026
CVE-2026-44927
2.9 LOW

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

May 8, 2026
CVE-2026-43284
8.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a …

May 8, 2026
CVE-2013-10075
9.1 CRITICAL

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can …

May 8, 2026
CVE-2026-8149

A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. …

May 8, 2026
CVE-2026-8069

PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal …

May 8, 2026
CVE-2026-4935
8.6 HIGH

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow …

May 8, 2026
CVE-2026-44916
3.0 LOW

In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.

May 8, 2026
CVE-2025-69691
9.9 CRITICAL

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available …

May 8, 2026
CVE-2025-69690
9.1 CRITICAL

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. …

May 8, 2026
CVE-2025-69599
9.8 CRITICAL

RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is …

May 8, 2026
CVE-2025-67888
7.3 HIGH

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter …

May 8, 2026
CVE-2025-67887
9.8 CRITICAL

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a …

May 8, 2026
CVE-2025-67886
6.3 MEDIUM

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a …

May 8, 2026
CVE-2025-55449
7.3 HIGH

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

May 8, 2026
CVE-2023-46453
9.8 CRITICAL

Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL …

May 8, 2026
CVE-2024-53326
7.3 HIGH

LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.

May 8, 2026
CVE-2024-51092
9.1 CRITICAL

LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

May 8, 2026
CVE-2024-46508
7.5 HIGH

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than …

May 8, 2026
CVE-2024-46507
7.3 HIGH

A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the …

May 8, 2026
CVE-2024-45257
7.3 HIGH

A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server …

May 8, 2026
CVE-2024-33724
5.4 MEDIUM

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.

May 8, 2026
CVE-2024-33722
6.3 MEDIUM

SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].

May 8, 2026
CVE-2024-33288
7.3 HIGH

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.

May 8, 2026
CVE-2024-30167
6.3 MEDIUM

/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName …

May 8, 2026
CVE-2024-27686
7.5 HIGH

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data …

May 8, 2026
CVE-2023-47268
5.3 MEDIUM

In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and …

May 8, 2026
CVE-2026-8148
7.8 HIGH

NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.

May 8, 2026
CVE-2026-8138
8.8 HIGH

A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. …

May 8, 2026
CVE-2026-8137
8.8 HIGH

A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url …

May 8, 2026
CVE-2026-42279
5.8 MEDIUM

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all …

May 8, 2026
CVE-2026-42278

UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its …

May 8, 2026
CVE-2026-42277
6.5 MEDIUM

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other …

May 8, 2026
CVE-2026-42276
4.3 MEDIUM

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's …

May 8, 2026
CVE-2023-42346
7.5 HIGH

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

May 8, 2026
CVE-2023-42345
6.1 MEDIUM

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.

May 8, 2026
CVE-2023-42344
7.3 HIGH

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

May 8, 2026
CVE-2023-42343
6.1 MEDIUM

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type.

May 8, 2026
CVE-2022-45899
6.5 MEDIUM

Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log …

May 8, 2026
CVE-2022-26523
5.3 MEDIUM

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in …

May 8, 2026
CVE-2022-26522
7.8 HIGH

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in …

May 8, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.