CVE Database

109356+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-43080

In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch series …

May 6, 2026
CVE-2026-43079

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Skip discovery table for offline dies This warning can be triggered if NUMA is …

May 6, 2026
CVE-2026-43078
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl When page reassignment was added to …

May 6, 2026
CVE-2026-43077

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Fix minimum RX size check for decryption The check for the minimum …

May 6, 2026
CVE-2026-43076
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() …

May 6, 2026
CVE-2026-43075
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in …

May 6, 2026
CVE-2026-43074
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c …

May 6, 2026
CVE-2026-42509
6.1 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from …

May 6, 2026
CVE-2026-40010
9.1 CRITICAL

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue …

May 6, 2026
CVE-2026-40001
5.2 MEDIUM

There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, …

May 6, 2026
CVE-2026-35255
6.6 MEDIUM

Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily …

May 6, 2026
CVE-2026-1719
7.5 HIGH

The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on …

May 6, 2026
CVE-2026-7841
8.8 HIGH

A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on …

May 6, 2026
CVE-2026-7457
6.4 MEDIUM

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input …

May 6, 2026
CVE-2026-7332
7.2 HIGH

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all …

May 6, 2026
CVE-2026-6672
6.4 MEDIUM

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and …

May 6, 2026
CVE-2026-6344
4.9 MEDIUM

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path …

May 6, 2026
CVE-2026-35254
6.1 MEDIUM

Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated …

May 6, 2026
CVE-2026-35253
4.7 MEDIUM

Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated …

May 6, 2026
CVE-2026-23928

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This …

May 6, 2026
CVE-2026-23927

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 …

May 6, 2026
CVE-2026-23926

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance …

May 6, 2026
CVE-2026-2306
4.3 MEDIUM

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the …

May 6, 2026
CVE-2026-5753
6.5 MEDIUM

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to …

May 6, 2026
CVE-2026-3208
5.3 MEDIUM

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' …

May 6, 2026
CVE-2026-7573
5.0 MEDIUM

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete …

May 6, 2026
CVE-2026-7572
4.4 MEDIUM

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to …

May 6, 2026
CVE-2025-71256
7.5 HIGH

In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

May 6, 2026
CVE-2025-71255
7.5 HIGH

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

May 6, 2026
CVE-2025-71254
7.5 HIGH

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

May 6, 2026
CVE-2025-71253
7.5 HIGH

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

May 6, 2026
CVE-2025-71252
7.5 HIGH

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

May 6, 2026
CVE-2025-71251
7.5 HIGH

In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution …

May 6, 2026
CVE-2026-44405
3.4 LOW

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

May 6, 2026
CVE-2026-40934
6.8 MEDIUM

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a …

May 5, 2026
CVE-2026-40110
7.3 HIGH

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins …

May 5, 2026
CVE-2026-40075
7.5 HIGH

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is …

May 5, 2026
CVE-2026-28780
9.8 CRITICAL

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious …

May 5, 2026
CVE-2026-41950
6.5 MEDIUM

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within …

May 5, 2026
CVE-2026-40068
8.8 HIGH

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker …

May 5, 2026
CVE-2026-39852
8.2 HIGH

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between …

May 5, 2026
CVE-2026-39849
8.8 HIGH

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL …

May 5, 2026
CVE-2026-39402
6.5 MEDIUM

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an …

May 5, 2026
CVE-2026-39383
7.2 HIGH

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST …

May 5, 2026
CVE-2026-35579
9.8 CRITICAL

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. …

May 5, 2026
CVE-2026-35527
5.0 MEDIUM

Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to …

May 5, 2026
CVE-2026-7857
7.2 HIGH

A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The …

May 5, 2026
CVE-2026-7856
7.2 HIGH

A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing …

May 5, 2026
CVE-2026-44331
8.1 HIGH

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a …

May 5, 2026
CVE-2026-40331

Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the …

May 5, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.