CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-34403
8.1 HIGH

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader …

Apr 20, 2026
CVE-2026-33626
7.5 HIGH

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's …

Apr 20, 2026
CVE-2026-33432
9.1 CRITICAL

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, …

Apr 20, 2026
CVE-2026-33431
6.5 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver …

Apr 20, 2026
CVE-2026-33031
8.1 HIGH

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can …

Apr 20, 2026
CVE-2026-32613
9.9 CRITICAL

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around …

Apr 20, 2026
CVE-2026-32604
9.9 CRITICAL

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands …

Apr 20, 2026
CVE-2026-29648
8.8 HIGH

In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read …

Apr 20, 2026
CVE-2026-29647
6.5 MEDIUM

In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context …

Apr 20, 2026
CVE-2026-29646
9.8 CRITICAL

In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be …

Apr 20, 2026
CVE-2026-29642
7.8 HIGH

A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in …

Apr 20, 2026
CVE-2026-6550
4.7 MEDIUM

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated …

Apr 20, 2026
CVE-2026-6257
9.1 CRITICAL

Vvveb CMS prior to v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename …

Apr 20, 2026
CVE-2026-6249
8.8 HIGH

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by …

Apr 20, 2026
CVE-2026-5478
8.1 HIGH

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due …

Apr 20, 2026
CVE-2026-32311
9.8 CRITICAL

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used …

Apr 20, 2026
CVE-2026-32135
7.5 HIGH

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function …

Apr 20, 2026
CVE-2026-29649
9.8 CRITICAL

NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write …

Apr 20, 2026
CVE-2026-29645
7.5 HIGH

NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when …

Apr 20, 2026
CVE-2026-6248
8.1 HIGH

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding …

Apr 20, 2026
CVE-2026-6060
4.5 MEDIUM

A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. …

Apr 20, 2026
CVE-2025-11249

Rejected reason: This CVE id was assigned as a duplicate of CVE-2025-66414.

Apr 20, 2026
CVE-2026-41389
5.8 MEDIUM

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious …

Apr 20, 2026
CVE-2026-39112
5.4 MEDIUM

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject …

Apr 20, 2026
CVE-2026-39111
7.5 HIGH

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows …

Apr 20, 2026
CVE-2026-39110
8.2 HIGH

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows …

Apr 20, 2026
CVE-2026-39109
9.4 CRITICAL

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an …

Apr 20, 2026
CVE-2026-26399
5.3 MEDIUM

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its …

Apr 20, 2026
CVE-2026-23758
5.4 MEDIUM

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by …

Apr 20, 2026
CVE-2026-23757
5.4 MEDIUM

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML …

Apr 20, 2026
CVE-2026-23756
5.4 MEDIUM

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and …

Apr 20, 2026
CVE-2026-23753
4.8 MEDIUM

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() …

Apr 20, 2026
CVE-2026-23752
4.8 MEDIUM

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary …

Apr 20, 2026
CVE-2026-6662
7.3 HIGH

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token …

Apr 20, 2026
CVE-2026-41445
8.8 HIGH

KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit integer …

Apr 20, 2026
CVE-2026-40488
8.8 HIGH

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of …

Apr 20, 2026
CVE-2026-40098
5.4 MEDIUM

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of …

Apr 20, 2026
CVE-2026-35154
6.3 MEDIUM

Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege …

Apr 20, 2026
CVE-2026-30269
9.9 CRITICAL

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. …

Apr 20, 2026
CVE-2026-30266
7.8 HIGH

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file

Apr 20, 2026
CVE-2026-28684
6.6 MEDIUM

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow …

Apr 20, 2026
CVE-2026-26951
6.7 MEDIUM

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a stack-based buffer overflow …

Apr 20, 2026
CVE-2026-26943
7.2 HIGH

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection …

Apr 20, 2026
CVE-2026-26942
6.7 MEDIUM

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A …

Apr 20, 2026
CVE-2026-25525
4.9 MEDIUM

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of …

Apr 20, 2026
CVE-2026-25524
8.1 HIGH

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of …

Apr 20, 2026
CVE-2026-24506
7.2 HIGH

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection …

Apr 20, 2026
CVE-2026-24505
7.2 HIGH

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this …

Apr 20, 2026
CVE-2026-24504
7.2 HIGH

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation …

Apr 20, 2026
CVE-2026-22761
6.7 MEDIUM

Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, …

Apr 20, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.