CVE Database

109356+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-8112
6.3 MEDIUM

A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os …

May 7, 2026
CVE-2026-8106
6.1 MEDIUM

A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter …

May 7, 2026
CVE-2026-8034
9.8 CRITICAL

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting …

May 7, 2026
CVE-2026-7891

The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of …

May 7, 2026
CVE-2026-7541
7.5 HIGH

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with …

May 7, 2026
CVE-2026-6736
6.5 MEDIUM

An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external …

May 7, 2026
CVE-2026-42826
10.0 CRITICAL

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

May 7, 2026
CVE-2026-41929
6.1 MEDIUM

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating …

May 7, 2026
CVE-2026-41928
5.3 MEDIUM

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can …

May 7, 2026
CVE-2026-41105
8.1 HIGH

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

May 7, 2026
CVE-2026-40214
6.3 MEDIUM

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is …

May 7, 2026
CVE-2026-40213
7.4 HIGH

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token …

May 7, 2026
CVE-2026-35435
8.6 HIGH

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

May 7, 2026
CVE-2026-35428
9.6 CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

May 7, 2026
CVE-2026-34327
8.2 HIGH

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

May 7, 2026
CVE-2026-33844
9.0 CRITICAL

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

May 7, 2026
CVE-2026-33823
9.6 CRITICAL

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

May 7, 2026
CVE-2026-33111
7.5 HIGH

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a …

May 7, 2026
CVE-2026-33109
9.9 CRITICAL

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

May 7, 2026
CVE-2026-32207
8.8 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

May 7, 2026
CVE-2026-26164
7.5 HIGH

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a …

May 7, 2026
CVE-2026-26129
7.5 HIGH

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

May 7, 2026
CVE-2026-8098
7.3 HIGH

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument …

May 7, 2026
CVE-2026-8097
6.3 MEDIUM

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument …

May 7, 2026
CVE-2026-42449
8.5 HIGH

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder …

May 7, 2026
CVE-2026-42047
8.6 HIGH

Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that …

May 7, 2026
CVE-2026-41692
4.7 MEDIUM

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens …

May 7, 2026
CVE-2026-41691
6.5 MEDIUM

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code …

May 7, 2026
CVE-2026-8142
6.5 MEDIUM

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions …

May 7, 2026
CVE-2026-8088
3.3 LOW

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation …

May 7, 2026
CVE-2026-8087
5.3 MEDIUM

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of …

May 7, 2026
CVE-2026-43510
7.6 HIGH

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another …

May 7, 2026
CVE-2026-42501
7.5 HIGH

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any …

May 7, 2026
CVE-2026-42499
7.5 HIGH

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

May 7, 2026
CVE-2026-42259

Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a …

May 7, 2026
CVE-2026-42241
5.3 MEDIUM

ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what …

May 7, 2026
CVE-2026-42239
8.1 HIGH

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. …

May 7, 2026
CVE-2026-42225
5.9 MEDIUM

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) …

May 7, 2026
CVE-2026-39836
7.5 HIGH

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

May 7, 2026
CVE-2026-39826
6.1 MEDIUM

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the …

May 7, 2026
CVE-2026-39825
5.3 MEDIUM

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, …

May 7, 2026
CVE-2026-39823
6.1 MEDIUM

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert …

May 7, 2026
CVE-2026-39820
7.5 HIGH

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

May 7, 2026
CVE-2026-39819
5.3 MEDIUM

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the …

May 7, 2026
CVE-2026-39817
5.9 MEDIUM

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a …

May 7, 2026
CVE-2026-33814
7.5 HIGH

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

May 7, 2026
CVE-2026-33811
7.5 HIGH

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

May 7, 2026
CVE-2026-8086
5.3 MEDIUM

A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument …

May 7, 2026
CVE-2026-8084
3.3 LOW

A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid …

May 7, 2026
CVE-2026-8083
7.3 HIGH

A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the …

May 7, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.