CVE Database

109356+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-41641
7.2 HIGH

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL …

May 7, 2026
CVE-2026-41586

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() …

May 7, 2026
CVE-2026-41413
5.0 MEDIUM

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a …

May 7, 2026
CVE-2026-41143
8.8 HIGH

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. …

May 7, 2026
CVE-2026-41139
8.8 HIGH

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression …

May 7, 2026
CVE-2026-6214
6.5 MEDIUM

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function …

May 7, 2026
CVE-2026-44603
3.7 LOW

Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.

May 7, 2026
CVE-2026-44602
3.7 LOW

Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.

May 7, 2026
CVE-2026-44601
3.7 LOW

Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.

May 7, 2026
CVE-2026-42217
9.8 CRITICAL

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to …

May 7, 2026
CVE-2026-42216
9.1 CRITICAL

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to …

May 7, 2026
CVE-2026-42194
6.8 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes …

May 7, 2026
CVE-2026-41891

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version …

May 7, 2026
CVE-2026-41890

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version …

May 7, 2026
CVE-2026-41675

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and …

May 7, 2026
CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and …

May 7, 2026
CVE-2026-41673

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and …

May 7, 2026
CVE-2026-41672

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and …

May 7, 2026
CVE-2026-41671
6.8 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless …

May 7, 2026
CVE-2026-41670
8.2 HIGH

Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from …

May 7, 2026
CVE-2026-41669
8.2 HIGH

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method …

May 7, 2026
CVE-2026-41663
3.5 LOW

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire …

May 7, 2026
CVE-2026-41662
5.2 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero …

May 7, 2026
CVE-2026-41661
6.1 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a …

May 7, 2026
CVE-2026-41660
7.1 HIGH

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users …

May 7, 2026
CVE-2026-41659
2.7 LOW

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, …

May 7, 2026
CVE-2026-41658
6.5 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in …

May 7, 2026
CVE-2026-41657
4.9 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the …

May 7, 2026
CVE-2026-41656
4.5 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type …

May 7, 2026
CVE-2026-41655
6.5 MEDIUM

Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe …

May 7, 2026
CVE-2026-41640
7.5 HIGH

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package …

May 7, 2026
CVE-2026-41587

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version …

May 7, 2026
CVE-2026-41203

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload …

May 7, 2026
CVE-2026-41202

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore …

May 7, 2026
CVE-2026-41201
9.1 CRITICAL

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can …

May 7, 2026
CVE-2026-41142
8.8 HIGH

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to …

May 7, 2026
CVE-2026-41004
4.4 MEDIUM

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from …

May 7, 2026
CVE-2026-41002
7.2 HIGH

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config …

May 7, 2026
CVE-2026-40982
9.1 CRITICAL

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request …

May 7, 2026
CVE-2026-40981
7.5 HIGH

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially …

May 7, 2026
CVE-2026-40004
5.5 MEDIUM

There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges.

May 7, 2026
CVE-2026-4807
6.5 MEDIUM

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed …

May 7, 2026
CVE-2026-44600
3.7 LOW

Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.

May 7, 2026
CVE-2026-44599
3.7 LOW

Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.

May 7, 2026
CVE-2026-6222
5.3 MEDIUM

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method …

May 7, 2026
CVE-2026-40003
5.1 MEDIUM

ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB …

May 7, 2026
CVE-2026-44597
3.7 LOW

Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

May 7, 2026
CVE-2026-6278

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

May 6, 2026
CVE-2026-41484
5.3 MEDIUM

OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured …

May 6, 2026
CVE-2026-41483
5.9 MEDIUM

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance …

May 6, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.