CVE Database

110702+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-42027
9.8 CRITICAL

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by …

May 4, 2026
CVE-2026-40682
9.1 CRITICAL

XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static …

May 4, 2026
CVE-2026-38669
6.1 MEDIUM

wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.

May 4, 2026
CVE-2026-37461
7.5 HIGH

An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP …

May 4, 2026
CVE-2026-29514
8.8 HIGH

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to …

May 4, 2026
CVE-2026-26956
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside …

May 4, 2026
CVE-2026-26332
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue …

May 4, 2026
CVE-2026-25293
9.6 CRITICAL

Buffer overflow due to incorrect authorization in PLC FW

May 4, 2026
CVE-2026-25266
5.5 MEDIUM

Memory corruption while processing IOCTL command when device is in power-save state.

May 4, 2026
CVE-2026-24781
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows …

May 4, 2026
CVE-2026-24120
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to …

May 4, 2026
CVE-2026-24118
9.8 CRITICAL

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code …

May 4, 2026
CVE-2026-24082
7.8 HIGH

Memory Corruption when copying data from a freed source while executing performance counter deselect operation.

May 4, 2026
CVE-2025-47408
7.8 HIGH

Memory corruption when another driver calls an IOCTL with invalid input/output buffer.

May 4, 2026
CVE-2025-47407
7.8 HIGH

Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level.

May 4, 2026
CVE-2025-47406
6.1 MEDIUM

Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.

May 4, 2026
CVE-2025-47405
7.8 HIGH

Memory corruption when processing camera sensor input/output control codes with invalid output buffers.

May 4, 2026
CVE-2025-47404
6.5 MEDIUM

Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified.

May 4, 2026
CVE-2025-47403
6.5 MEDIUM

Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming.

May 4, 2026
CVE-2025-47401
6.5 MEDIUM

Transient DOS when processing target power rate tables during channel configuration.

May 4, 2026
CVE-2026-40563
8.1 HIGH

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. …

May 4, 2026
CVE-2026-37458
6.5 MEDIUM

Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying …

May 4, 2026
CVE-2026-36365
7.8 HIGH

An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and …

May 4, 2026
CVE-2025-70071
5.9 MEDIUM

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()

May 4, 2026
CVE-2026-6501

Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5.

May 4, 2026
CVE-2026-6500

Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5.

May 4, 2026
CVE-2026-33523
6.5 MEDIUM

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. …

May 4, 2026
CVE-2026-33007
5.3 MEDIUM

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in …

May 4, 2026
CVE-2026-33006
4.8 MEDIUM

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade …

May 4, 2026
CVE-2026-29169
7.5 HIGH

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock …

May 4, 2026
CVE-2026-23918
8.8 HIGH

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to …

May 4, 2026
CVE-2025-70072
6.5 MEDIUM

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components

May 4, 2026
CVE-2025-70070
6.5 MEDIUM

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry()

May 4, 2026
CVE-2025-13605

3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by …

May 4, 2026
CVE-2026-6499

Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5.

May 4, 2026
CVE-2026-6266
8.3 HIGH

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to …

May 4, 2026
CVE-2026-34032
5.3 MEDIUM

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version …

May 4, 2026
CVE-2026-33857
5.3 MEDIUM

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, …

May 4, 2026
CVE-2026-31205
5.7 MEDIUM

Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function

May 4, 2026
CVE-2025-70069
7.5 HIGH

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method

May 4, 2026
CVE-2025-70067
9.8 CRITICAL

Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from …

May 4, 2026
CVE-2025-58074
8.8 HIGH

A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation …

May 4, 2026
CVE-2026-7482
9.1 CRITICAL

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the …

May 4, 2026
CVE-2026-34059
7.5 HIGH

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes …

May 4, 2026
CVE-2026-24072
8.8 HIGH

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of …

May 4, 2026
CVE-2026-3120
7.2 HIGH

Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This …

May 4, 2026
CVE-2026-7750
8.8 HIGH

A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This vulnerability affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The …

May 4, 2026
CVE-2026-7749
8.8 HIGH

A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. …

May 4, 2026
CVE-2026-7748
8.8 HIGH

A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by this issue is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST …

May 4, 2026
CVE-2026-33846
7.5 HIGH

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are …

May 4, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.