CVE Database

109356+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-44742
7.2 HIGH

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in …

May 7, 2026
CVE-2026-44244
7.8 HIGH

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. …

May 7, 2026
CVE-2026-44243
7.1 HIGH

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a …

May 7, 2026
CVE-2026-42284
8.1 HIGH

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" …

May 7, 2026
CVE-2026-42215
8.8 HIGH

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as …

May 7, 2026
CVE-2026-42214
7.8 HIGH

Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without …

May 7, 2026
CVE-2026-41906
7.1 HIGH

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope …

May 7, 2026
CVE-2026-41905
7.7 HIGH

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via …

May 7, 2026
CVE-2026-41904
7.6 HIGH

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store …

May 7, 2026
CVE-2026-41903
5.4 MEDIUM

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended …

May 7, 2026
CVE-2026-41902
9.1 CRITICAL

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random …

May 7, 2026
CVE-2026-41653

BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may …

May 7, 2026
CVE-2026-8081
6.3 MEDIUM

A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API …

May 7, 2026
CVE-2026-37709
9.8 CRITICAL

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the …

May 7, 2026
CVE-2026-7415
9.8 CRITICAL

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the …

May 7, 2026
CVE-2026-7414
9.8 CRITICAL

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be …

May 7, 2026
CVE-2026-7413
7.2 HIGH

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, …

May 7, 2026
CVE-2026-7821
7.4 HIGH

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted …

May 7, 2026
CVE-2026-6973
7.2 HIGH KEV

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code …

May 7, 2026
CVE-2026-5788
7.0 HIGH

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

May 7, 2026
CVE-2026-5787
8.9 HIGH

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain …

May 7, 2026
CVE-2026-5786
8.8 HIGH

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

May 7, 2026
CVE-2026-36388
5.4 MEDIUM

A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to …

May 7, 2026
CVE-2026-36387
6.5 MEDIUM

A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file …

May 7, 2026
CVE-2026-36341
5.4 MEDIUM

Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on …

May 7, 2026
CVE-2025-65122
7.5 HIGH

Regex Denial of Service in youtube-regex npm package through version 1.0.5.

May 7, 2026
CVE-2025-63704
9.8 CRITICAL

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly …

May 7, 2026
CVE-2025-63703
9.8 CRITICAL

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

May 7, 2026
CVE-2025-4397
6.8 MEDIUM

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

May 7, 2026
CVE-2025-4386
6.8 MEDIUM

Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

May 7, 2026
CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly …

May 7, 2026
CVE-2026-44264
4.3 MEDIUM

Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize …

May 7, 2026
CVE-2026-44263
4.3 MEDIUM

Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in …

May 7, 2026
CVE-2026-42011
7.4 HIGH

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name …

May 7, 2026
CVE-2026-41689
6.0 MEDIUM

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in …

May 7, 2026
CVE-2026-41688
7.7 HIGH

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but …

May 7, 2026
CVE-2026-41687
4.3 MEDIUM

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an …

May 7, 2026
CVE-2026-41654
8.1 HIGH

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any …

May 7, 2026
CVE-2026-41650
6.1 MEDIUM

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" …

May 7, 2026
CVE-2026-41519
4.2 MEDIUM

Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but …

May 7, 2026
CVE-2026-41505
8.7 HIGH

RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. …

May 7, 2026
CVE-2026-41422
8.3 HIGH

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() …

May 7, 2026
CVE-2026-36458
9.8 CRITICAL

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a …

May 7, 2026
CVE-2026-32686

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing …

May 7, 2026
CVE-2025-67202
6.1 MEDIUM

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.

May 7, 2026
CVE-2025-63706
9.8 CRITICAL

NPM package next-npm-version1.0.1 is vulnerable to Command injection.

May 7, 2026
CVE-2025-63705
8.8 HIGH

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.

May 7, 2026
CVE-2026-6795
9.6 CRITICAL

URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

May 7, 2026
CVE-2026-41685
4.3 MEDIUM

Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the …

May 7, 2026
CVE-2026-41684
6.5 MEDIUM

Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back …

May 7, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.