CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-41324
7.5 HIGH

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings …

Apr 24, 2026
CVE-2026-41323
8.1 HIGH

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically …

Apr 24, 2026
CVE-2026-41319
6.5 MEDIUM

MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle …

Apr 24, 2026
CVE-2026-41318
5.4 MEDIUM

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's …

Apr 24, 2026
CVE-2026-41068
7.7 HIGH

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by …

Apr 24, 2026
CVE-2026-2028
5.3 MEDIUM

The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in …

Apr 24, 2026
CVE-2026-41317
7.5 HIGH

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to …

Apr 24, 2026
CVE-2026-41316
8.1 HIGH

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and …

Apr 24, 2026
CVE-2026-41309
8.2 HIGH

Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can …

Apr 24, 2026
CVE-2026-41305
6.1 MEDIUM

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions …

Apr 24, 2026
CVE-2026-40254
4.2 MEDIUM

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The …

Apr 24, 2026
CVE-2026-33318
8.8 HIGH

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from …

Apr 24, 2026
CVE-2026-33317
8.7 HIGH

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In …

Apr 24, 2026
CVE-2026-33208
8.8 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in …

Apr 24, 2026
CVE-2026-33078
9.8 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save …

Apr 24, 2026
CVE-2026-33077
7.5 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has …

Apr 24, 2026
CVE-2026-33076
9.8 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could …

Apr 24, 2026
CVE-2026-32952
5.3 MEDIUM

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out …

Apr 24, 2026
CVE-2026-41325
8.8 HIGH

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the …

Apr 24, 2026
CVE-2026-40099
6.5 MEDIUM

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the …

Apr 24, 2026
CVE-2026-34587
8.1 HIGH

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific …

Apr 24, 2026
CVE-2026-32870
7.5 HIGH

Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, …

Apr 24, 2026
CVE-2026-31956
4.3 MEDIUM

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated …

Apr 24, 2026
CVE-2026-31955
4.9 MEDIUM

Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) …

Apr 24, 2026
CVE-2026-31953
6.4 MEDIUM

Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability …

Apr 24, 2026
CVE-2026-40630
9.8 CRITICAL

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network …

Apr 24, 2026
CVE-2026-40623
8.1 HIGH

A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due …

Apr 24, 2026
CVE-2026-40620
9.8 CRITICAL

A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive …

Apr 24, 2026
CVE-2026-40431
5.3 MEDIUM

A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication …

Apr 24, 2026
CVE-2026-39462
8.1 HIGH

A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on …

Apr 24, 2026
CVE-2026-35503
9.8 CRITICAL

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed …

Apr 24, 2026
CVE-2026-35064
7.5 HIGH

A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and …

Apr 24, 2026
CVE-2026-31952
7.6 HIGH

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an …

Apr 24, 2026
CVE-2026-29197
4.3 MEDIUM

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, …

Apr 24, 2026
CVE-2026-29051
4.4 MEDIUM

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also …

Apr 24, 2026
CVE-2026-29050
6.1 MEDIUM

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a …

Apr 24, 2026
CVE-2026-27843
9.1 CRITICAL

A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying …

Apr 24, 2026
CVE-2026-27841
8.1 HIGH

A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does …

Apr 24, 2026
CVE-2026-25775
9.8 CRITICAL

A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related …

Apr 24, 2026
CVE-2026-25720
5.4 MEDIUM

A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without …

Apr 24, 2026
CVE-2026-1789
4.9 MEDIUM

A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production …

Apr 24, 2026
CVE-2026-6732
6.5 MEDIUM

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an …

Apr 23, 2026
CVE-2026-41361
7.1 HIGH

OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting …

Apr 23, 2026
CVE-2026-41360
6.7 MEDIUM

OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can …

Apr 23, 2026
CVE-2026-41359
7.1 HIGH

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the …

Apr 23, 2026
CVE-2026-41358
5.4 MEDIUM

OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages …

Apr 23, 2026
CVE-2026-41357
3.3 LOW

OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by …

Apr 23, 2026
CVE-2026-41356
5.4 MEDIUM

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket …

Apr 23, 2026
CVE-2026-41355
7.3 HIGH

OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access …

Apr 23, 2026
CVE-2026-41354
3.7 LOW

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. …

Apr 23, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.