CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-6451
4.3 MEDIUM

The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation …

Apr 17, 2026
CVE-2026-40002
5.0 MEDIUM

Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for …

Apr 17, 2026
CVE-2026-33392
7.2 HIGH

In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass

Apr 17, 2026
CVE-2026-23853
8.4 HIGH

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 …

Apr 17, 2026
CVE-2026-6443
9.8 CRITICAL

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a …

Apr 17, 2026
CVE-2026-6441
4.3 MEDIUM

The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any …

Apr 17, 2026
CVE-2026-4659
7.5 HIGH

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and …

Apr 17, 2026
CVE-2026-6482
7.8 HIGH

The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a …

Apr 17, 2026
CVE-2026-6421
7.0 HIGH

A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library msimg32.dll. The manipulation leads …

Apr 17, 2026
CVE-2026-5797
5.3 MEDIUM

The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to …

Apr 17, 2026
CVE-2026-35496
2.7 LOW

A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should …

Apr 17, 2026
CVE-2026-34018
9.8 CRITICAL

An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.

Apr 17, 2026
CVE-2026-21719
7.2 HIGH

An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS …

Apr 17, 2026
CVE-2026-6080
6.5 MEDIUM

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on …

Apr 17, 2026
CVE-2026-5807
7.5 HIGH

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single …

Apr 17, 2026
CVE-2026-5502
5.3 MEDIUM

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including …

Apr 17, 2026
CVE-2026-5427
5.3 MEDIUM

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks …

Apr 17, 2026
CVE-2026-5234
5.3 MEDIUM

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the …

Apr 17, 2026
CVE-2026-4853
4.9 MEDIUM

The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and …

Apr 17, 2026
CVE-2026-3330
4.9 MEDIUM

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions …

Apr 17, 2026
CVE-2026-5052
5.3 MEDIUM

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to …

Apr 17, 2026
CVE-2026-4666
6.5 MEDIUM

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the …

Apr 17, 2026
CVE-2026-4525
7.5 HIGH

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded …

Apr 17, 2026
CVE-2026-3605
8.1 HIGH

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized …

Apr 17, 2026
CVE-2026-5231
7.2 HIGH

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This …

Apr 17, 2026
CVE-2026-5162
6.4 MEDIUM

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up …

Apr 17, 2026
CVE-2026-4817
6.5 MEDIUM

The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' …

Apr 17, 2026
CVE-2026-3488
6.5 MEDIUM

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability …

Apr 17, 2026
CVE-2026-40922
5.4 MEDIUM

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for …

Apr 17, 2026
CVE-2026-40265
5.9 MEDIUM

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the …

Apr 17, 2026
CVE-2026-40263
3.7 LOW

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, …

Apr 17, 2026
CVE-2026-40262
8.7 HIGH

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection …

Apr 17, 2026
CVE-2026-40260
5.3 MEDIUM

pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who …

Apr 17, 2026
CVE-2026-22734
8.6 HIGH

Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. …

Apr 17, 2026
CVE-2026-40322
9.0 CRITICAL

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting …

Apr 16, 2026
CVE-2026-40318
8.5 HIGH

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter …

Apr 16, 2026
CVE-2026-40259
8.1 HIGH

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service …

Apr 16, 2026
CVE-2026-40255
6.1 MEDIUM

AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and …

Apr 16, 2026
CVE-2026-40253
6.8 MEDIUM

openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common …

Apr 16, 2026
CVE-2024-58343
4.3 MEDIUM

Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.

Apr 16, 2026
CVE-2026-41113
8.1 HIGH

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Apr 16, 2026
CVE-2026-40308

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied …

Apr 16, 2026
CVE-2026-40249
5.3 MEDIUM

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy …

Apr 16, 2026
CVE-2026-40248
7.5 HIGH

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating …

Apr 16, 2026
CVE-2026-40247
7.5 HIGH

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence …

Apr 16, 2026
CVE-2026-40246
7.5 HIGH

free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence …

Apr 16, 2026
CVE-2026-40170
7.5 HIGH

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack …

Apr 16, 2026
CVE-2026-39313

mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request …

Apr 16, 2026
CVE-2026-35469

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts …

Apr 16, 2026
CVE-2026-34164
4.9 MEDIUM

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at …

Apr 16, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.