CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-22753
7.5 HIGH

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter …

Apr 22, 2026
CVE-2026-22748
5.3 MEDIUM

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling …

Apr 22, 2026
CVE-2026-22747
6.8 MEDIUM

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for …

Apr 22, 2026
CVE-2026-22746
3.7 LOW

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's …

Apr 22, 2026
CVE-2026-40451
6.1 MEDIUM

DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's …

Apr 22, 2026
CVE-2026-6835
6.1 MEDIUM

The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, …

Apr 22, 2026
CVE-2026-6834
6.5 MEDIUM

The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method.

Apr 22, 2026
CVE-2026-6833
6.5 MEDIUM

The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.

Apr 22, 2026
CVE-2026-6416
2.7 LOW

Tanium addressed an uncontrolled resource consumption vulnerability in Interact.

Apr 22, 2026
CVE-2026-6408
2.7 LOW

Tanium addressed an information disclosure vulnerability in Tanium Server.

Apr 22, 2026
CVE-2026-6392
2.7 LOW

Tanium addressed an information disclosure vulnerability in Threat Response.

Apr 22, 2026
CVE-2026-6386
6.2 MEDIUM

In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled …

Apr 22, 2026
CVE-2026-5398
8.4 HIGH

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process …

Apr 22, 2026
CVE-2026-41458

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by …

Apr 22, 2026
CVE-2026-41457

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions …

Apr 22, 2026
CVE-2026-41146

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value …

Apr 22, 2026
CVE-2026-41145
8.2 HIGH

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any …

Apr 22, 2026
CVE-2026-40344
8.2 HIGH

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler (`PutObjectExtractHandler`) allows …

Apr 22, 2026
CVE-2026-41304
9.8 CRITICAL

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled …

Apr 22, 2026
CVE-2026-41144
0.0 NONE

F´ (F Prime) is a framework that enables development and deployment of spaceflight and other embedded software applications. Prior to version 4.2.0, the bounds check …

Apr 22, 2026
CVE-2026-41136
5.3 MEDIUM

free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version …

Apr 22, 2026
CVE-2026-41135
7.5 HIGH

free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability …

Apr 22, 2026
CVE-2026-41133
8.8 HIGH

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at …

Apr 22, 2026
CVE-2026-41131
5.0 MEDIUM

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two …

Apr 22, 2026
CVE-2026-41130

Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint …

Apr 22, 2026
CVE-2026-41129

Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side …

Apr 22, 2026
CVE-2026-41128

Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove …

Apr 22, 2026
CVE-2026-41127
6.5 MEDIUM

BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions …

Apr 22, 2026
CVE-2026-41126
4.3 MEDIUM

BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling …

Apr 22, 2026
CVE-2026-41064
9.3 CRITICAL

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget …

Apr 22, 2026
CVE-2026-41059
8.2 HIGH

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when …

Apr 22, 2026
CVE-2026-40575
9.1 CRITICAL

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is …

Apr 22, 2026
CVE-2026-40343
5.8 MEDIUM

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to …

Apr 22, 2026
CVE-2026-5921
8.9 HIGH

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through …

Apr 21, 2026
CVE-2026-5845
9.6 CRITICAL

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended …

Apr 21, 2026
CVE-2026-5512
4.3 MEDIUM

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric …

Apr 21, 2026
CVE-2026-4872

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Apr 21, 2026
CVE-2026-4821
7.2 HIGH

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands …

Apr 21, 2026
CVE-2026-4296
8.8 HIGH

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge …

Apr 21, 2026
CVE-2026-41063
5.4 MEDIUM

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw …

Apr 21, 2026
CVE-2026-41062
6.5 MEDIUM

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks …

Apr 21, 2026
CVE-2026-41061
5.4 MEDIUM

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, …

Apr 21, 2026
CVE-2026-41060
7.7 HIGH

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that …

Apr 21, 2026
CVE-2026-41058
8.1 HIGH

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path …

Apr 21, 2026
CVE-2026-41057
7.1 HIGH

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate …

Apr 21, 2026
CVE-2026-41056
8.1 HIGH

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in …

Apr 21, 2026
CVE-2026-41055
8.6 HIGH

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but …

Apr 21, 2026
CVE-2026-40935
5.3 MEDIUM

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with …

Apr 21, 2026
CVE-2026-40929
5.4 MEDIUM

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no …

Apr 21, 2026
CVE-2026-40928
5.4 MEDIUM

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and …

Apr 21, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.