CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-41243
5.4 MEDIUM

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but the …

Apr 23, 2026
CVE-2026-41211
10.0 CRITICAL

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly …

Apr 23, 2026
CVE-2026-41208
8.8 HIGH

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 …

Apr 23, 2026
CVE-2026-41206
7.8 HIGH

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis …

Apr 23, 2026
CVE-2026-41200

STIG Manager is an API and web client for managing Security Technical Implementation Guides (STIG) assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a …

Apr 23, 2026
CVE-2026-41197

Noir is a Domain Specific Language for SNARK proving systems that is designed to use any ACIR compatible proving system, and Brillig is the bytecode …

Apr 23, 2026
CVE-2026-41196
10.0 CRITICAL

Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape …

Apr 23, 2026
CVE-2026-41182
5.3 MEDIUM

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python …

Apr 23, 2026
CVE-2026-41180
7.5 HIGH

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using …

Apr 23, 2026
CVE-2026-1923
6.4 MEDIUM

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, …

Apr 23, 2026
CVE-2026-6878
5.6 MEDIUM

A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. …

Apr 23, 2026
CVE-2026-6874
4.3 MEDIUM

A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing …

Apr 23, 2026
CVE-2026-5935
7.3 HIGH

IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with …

Apr 23, 2026
CVE-2026-5926
6.5 MEDIUM

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 …

Apr 23, 2026
CVE-2026-4919
4.8 MEDIUM

IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI …

Apr 23, 2026
CVE-2026-4918
5.5 MEDIUM

IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web …

Apr 23, 2026
CVE-2026-4917
4.9 MEDIUM

IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request …

Apr 23, 2026
CVE-2026-41179
9.8 CRITICAL

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version …

Apr 23, 2026
CVE-2026-41176
9.8 CRITICAL

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: …

Apr 23, 2026
CVE-2026-40062
7.5 HIGH

A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 and earlier. A remote unauthenticated attacker may get sensitive information on the operating system.

Apr 23, 2026
CVE-2026-3621
7.5 HIGH

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application …

Apr 23, 2026
CVE-2026-32679
7.8 HIGH

The installers of LiveOn Meet Client for Windows (Downloader5Installer.exe and Downloader5InstallerForAdmin.exe) and the installers of Canon Network Camera Plugin (CanonNWCamPlugin.exe and CanonNWCamPluginForAdmin.exe) insecurely load Dynamic …

Apr 23, 2026
CVE-2026-29198
9.8 CRITICAL

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with …

Apr 23, 2026
CVE-2026-1726
4.8 MEDIUM

IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1

Apr 23, 2026
CVE-2026-1352
6.5 MEDIUM

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause …

Apr 23, 2026
CVE-2026-1274
4.9 MEDIUM

IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to a Bypass Business Logic vulnerability in the access management control panel.

Apr 23, 2026
CVE-2026-1272
2.7 LOW

IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.

Apr 23, 2026
CVE-2025-36074
5.5 MEDIUM

IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A …

Apr 23, 2026
CVE-2026-4049

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Apr 22, 2026
CVE-2026-41455
8.5 HIGH

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction …

Apr 22, 2026
CVE-2026-41454
8.3 HIGH

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper …

Apr 22, 2026
CVE-2026-41314
6.5 MEDIUM

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF …

Apr 22, 2026
CVE-2026-41313
6.5 MEDIUM

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF …

Apr 22, 2026
CVE-2026-41312
6.5 MEDIUM

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF …

Apr 22, 2026
CVE-2026-41177
5.5 MEDIUM

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind …

Apr 22, 2026
CVE-2026-41175
8.1 HIGH

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST …

Apr 22, 2026
CVE-2026-41172

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset …

Apr 22, 2026
CVE-2026-41171

Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due …

Apr 22, 2026
CVE-2026-41170

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply …

Apr 22, 2026
CVE-2026-40517
7.8 HIGH

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a …

Apr 22, 2026
CVE-2026-41168
5.3 MEDIUM

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF …

Apr 22, 2026
CVE-2026-41167
9.1 CRITICAL

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating …

Apr 22, 2026
CVE-2026-41166
7.0 HIGH

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to …

Apr 22, 2026
CVE-2026-41134
7.8 HIGH

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks …

Apr 22, 2026
CVE-2026-40937
8.3 HIGH

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` …

Apr 22, 2026
CVE-2026-40882
7.6 HIGH

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user …

Apr 22, 2026
CVE-2026-3837
5.4 MEDIUM

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. …

Apr 22, 2026
CVE-2026-34068
6.8 MEDIUM

nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` …

Apr 22, 2026
CVE-2026-34067
3.1 LOW

nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != …

Apr 22, 2026
CVE-2026-33733
7.2 HIGH

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and …

Apr 22, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.