CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-31674
7.1 HIGH

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. …

Apr 25, 2026
CVE-2026-31673
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the …

Apr 25, 2026
CVE-2026-6951
9.8 CRITICAL

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c …

Apr 25, 2026
CVE-2026-6175

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Apr 24, 2026
CVE-2026-42171
7.8 HIGH

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges …

Apr 24, 2026
CVE-2026-41488
3.1 LOW

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs …

Apr 24, 2026
CVE-2026-41481
6.5 MEDIUM

LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the …

Apr 24, 2026
CVE-2026-41478
9.9 CRITICAL

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows …

Apr 24, 2026
CVE-2026-41473
9.1 CRITICAL

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary …

Apr 24, 2026
CVE-2026-41472
6.1 MEDIUM

CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows …

Apr 24, 2026
CVE-2026-41248
9.1 CRITICAL

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them …

Apr 24, 2026
CVE-2026-6968
5.9 MEDIUM

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute …

Apr 24, 2026
CVE-2026-6967
5.9 MEDIUM

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF …

Apr 24, 2026
CVE-2026-6966
5.3 MEDIUM

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement …

Apr 24, 2026
CVE-2026-41503
7.5 HIGH

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service …

Apr 24, 2026
CVE-2026-41502
7.5 HIGH

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple …

Apr 24, 2026
CVE-2026-41477
7.8 HIGH

Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with …

Apr 24, 2026
CVE-2026-41476
8.8 HIGH

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger …

Apr 24, 2026
CVE-2026-41475
9.1 CRITICAL

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service …

Apr 24, 2026
CVE-2026-41433
8.4 HIGH

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows …

Apr 24, 2026
CVE-2026-41429
8.8 HIGH

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption …

Apr 24, 2026
CVE-2026-41428
9.1 CRITICAL

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since …

Apr 24, 2026
CVE-2026-41427
6.5 MEDIUM

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation …

Apr 24, 2026
CVE-2026-41426
6.1 MEDIUM

pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by …

Apr 24, 2026
CVE-2026-41425
5.4 MEDIUM

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in …

Apr 24, 2026
CVE-2026-41244
4.7 MEDIUM

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard …

Apr 24, 2026
CVE-2026-41907
7.5 HIGH

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject …

Apr 24, 2026
CVE-2026-41894

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address …

Apr 24, 2026
CVE-2026-41492
9.8 CRITICAL

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because …

Apr 24, 2026
CVE-2026-41421
8.8 HIGH

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification …

Apr 24, 2026
CVE-2026-41419
7.6 HIGH

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges …

Apr 24, 2026
CVE-2026-41418
5.3 MEDIUM

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in …

Apr 24, 2026
CVE-2026-41416
7.5 HIGH

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream …

Apr 24, 2026
CVE-2026-41415
9.1 CRITICAL

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a …

Apr 24, 2026
CVE-2026-41414
7.4 HIGH

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it …

Apr 24, 2026
CVE-2026-41328
9.1 CRITICAL

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read …

Apr 24, 2026
CVE-2026-41327
9.1 CRITICAL

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read …

Apr 24, 2026
CVE-2026-41326
8.2 HIGH

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, …

Apr 24, 2026
CVE-2026-33666
7.5 HIGH

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), …

Apr 24, 2026
CVE-2026-33662
7.5 HIGH

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From …

Apr 24, 2026
CVE-2026-33524
7.5 HIGH

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small …

Apr 24, 2026
CVE-2026-42044
6.5 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype …

Apr 24, 2026
CVE-2026-42043
7.2 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL …

Apr 24, 2026
CVE-2026-42042
5.4 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses …

Apr 24, 2026
CVE-2026-42041
4.8 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype …

Apr 24, 2026
CVE-2026-42040
3.7 LOW

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character …

Apr 24, 2026
CVE-2026-42039
7.5 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth …

Apr 24, 2026
CVE-2026-42038
6.8 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is …

Apr 24, 2026
CVE-2026-42037
5.3 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly …

Apr 24, 2026
CVE-2026-42036
5.3 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the …

Apr 24, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.