CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-29013

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is …

Apr 17, 2026
CVE-2026-40527
7.8 HIGH

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences …

Apr 17, 2026
CVE-2026-40303
7.5 HIGH

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, …

Apr 17, 2026
CVE-2026-40302
6.1 MEDIUM

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no …

Apr 17, 2026
CVE-2026-40301
4.7 MEDIUM

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. …

Apr 17, 2026
CVE-2026-40299

next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG …

Apr 17, 2026
CVE-2026-40293
6.5 MEDIUM

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground …

Apr 17, 2026
CVE-2026-40286
7.5 HIGH

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' …

Apr 17, 2026
CVE-2026-40285
8.8 HIGH

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the …

Apr 17, 2026
CVE-2026-40284
6.8 MEDIUM

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject …

Apr 17, 2026
CVE-2026-40282

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject …

Apr 17, 2026
CVE-2026-40196
8.1 HIGH

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user …

Apr 17, 2026
CVE-2026-40155
5.4 MEDIUM

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce …

Apr 17, 2026
CVE-2026-35603
7.3 HIGH

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating …

Apr 17, 2026
CVE-2026-35512
8.8 HIGH

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to …

Apr 17, 2026
CVE-2026-35402

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using …

Apr 17, 2026
CVE-2026-33689
9.1 CRITICAL

xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated …

Apr 17, 2026
CVE-2026-33436
3.1 LOW

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames …

Apr 17, 2026
CVE-2026-33145
6.3 MEDIUM

xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe …

Apr 17, 2026
CVE-2026-23500
9.1 CRITICAL

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion …

Apr 17, 2026
CVE-2026-40461
7.5 HIGH

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate …

Apr 17, 2026
CVE-2026-40434
8.1 HIGH

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt …

Apr 17, 2026
CVE-2026-40342
9.9 CRITICAL

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine …

Apr 17, 2026
CVE-2026-40283
6.8 MEDIUM

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject …

Apr 17, 2026
CVE-2026-40066
8.8 HIGH

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated …

Apr 17, 2026
CVE-2026-35682
8.8 HIGH

Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level …

Apr 17, 2026
CVE-2026-35546
9.8 CRITICAL

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code …

Apr 17, 2026
CVE-2026-35215
7.5 HIGH

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of …

Apr 17, 2026
CVE-2026-35061
5.3 MEDIUM

Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery.

Apr 17, 2026
CVE-2026-34232
7.5 HIGH

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type …

Apr 17, 2026
CVE-2026-33569
6.5 MEDIUM

Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise …

Apr 17, 2026
CVE-2026-33516
9.1 CRITICAL

xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase. The issue occurs when …

Apr 17, 2026
CVE-2026-33093
5.3 MEDIUM

Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about …

Apr 17, 2026
CVE-2026-32650
7.5 HIGH

Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing database credentials to be sent in plaintext and enabling …

Apr 17, 2026
CVE-2026-32648
5.3 MEDIUM

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device.

Apr 17, 2026
CVE-2026-32624
6.5 MEDIUM

xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in its logon processing. In environments where domain_user_separator is …

Apr 17, 2026
CVE-2026-32623
8.1 HIGH

xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from …

Apr 17, 2026
CVE-2026-32324
7.7 HIGH

Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at …

Apr 17, 2026
CVE-2026-32107
8.8 HIGH

xrdp is an open source RDP server. In versions through 0.10.5, the session execution component did not properly handle an error during the privilege drop …

Apr 17, 2026
CVE-2026-32105
7.7 HIGH

xrdp is an open source RDP server. In versions through 0.10.5, xrdp does not implement verification for the Message Authentication Code (MAC) signature of encrypted …

Apr 17, 2026
CVE-2026-31927
4.9 MEDIUM

Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when …

Apr 17, 2026
CVE-2026-6437
6.5 MEDIUM

Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation …

Apr 17, 2026
CVE-2026-40525
9.1 CRITICAL

OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the …

Apr 17, 2026
CVE-2026-33337
7.5 HIGH

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does …

Apr 17, 2026
CVE-2026-28224
8.2 HIGH

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior …

Apr 17, 2026
CVE-2026-28214
6.5 MEDIUM

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when …

Apr 17, 2026
CVE-2026-28212
7.5 HIGH

Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server …

Apr 17, 2026
CVE-2026-27890
8.2 HIGH

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes …

Apr 17, 2026
CVE-2026-5718
8.1 HIGH

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and …

Apr 17, 2026
CVE-2026-5710
7.5 HIGH

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in …

Apr 17, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.