CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-15621

Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication

Apr 16, 2026
CVE-2026-3489
7.5 HIGH

The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, …

Apr 16, 2026
CVE-2026-3369
5.4 MEDIUM

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, …

Apr 16, 2026
CVE-2026-3155
3.1 LOW

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to …

Apr 16, 2026
CVE-2025-12624
6.0 MEDIUM

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously …

Apr 16, 2026
CVE-2025-6024
6.1 MEDIUM

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by …

Apr 16, 2026
CVE-2024-8010
3.5 LOW

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits …

Apr 16, 2026
CVE-2024-4867
5.4 MEDIUM

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to …

Apr 16, 2026
CVE-2024-10242
6.1 MEDIUM

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads …

Apr 16, 2026
CVE-2025-67711
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-67710
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-67709
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-67708
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-67707
5.6 MEDIUM

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files …

Dec 31, 2025
CVE-2025-67706
5.6 MEDIUM

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files …

Dec 31, 2025
CVE-2025-67705
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-67704
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-67703
6.1 MEDIUM

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a …

Dec 31, 2025
CVE-2025-69288
9.1 CRITICAL

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. …

Dec 31, 2025
CVE-2025-69286
9.8 CRITICAL

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key …

Dec 31, 2025
CVE-2025-68700
8.8 HIGH

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands …

Dec 31, 2025
CVE-2025-34469
7.5 HIGH

Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated …

Dec 31, 2025
CVE-2025-15398
3.7 LOW

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token …

Dec 31, 2025
CVE-2023-7332

PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request …

Dec 31, 2025
CVE-2025-53235
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social easy-social-media allows Reflected XSS.This issue affects Easy Social: from n/a …

Dec 31, 2025
CVE-2023-7331
4.7 MEDIUM

A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql …

Dec 31, 2025
CVE-2015-10145
8.8 HIGH

Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied …

Dec 31, 2025
CVE-2025-66148
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Conformer for Elementor conformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conformer for Elementor: from n/a through …

Dec 31, 2025
CVE-2025-66146
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Logger for Elementor logger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through …

Dec 31, 2025
CVE-2025-66145
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Worker for WPBakery worker-wpbakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for WPBakery: from n/a through …

Dec 31, 2025
CVE-2025-66144
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Worker for Elementor worker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for Elementor: from n/a through …

Dec 31, 2025
CVE-2025-52739
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3.

Dec 31, 2025
CVE-2025-50053
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android …

Dec 31, 2025
CVE-2025-47566
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91.

Dec 31, 2025
CVE-2025-31054
7.1 HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.

Dec 31, 2025
CVE-2025-30628
8.5 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) …

Dec 31, 2025
CVE-2025-28973
6.5 MEDIUM

Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from …

Dec 31, 2025
CVE-2025-28949
8.5 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders allows Blind SQL Injection.This …

Dec 31, 2025
CVE-2025-23757
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper zd-scribd-ipaper allows Reflected XSS.This issue affects ZD Scribd …

Dec 31, 2025
CVE-2025-23719
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget zhina-twitter-widget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through <= …

Dec 31, 2025
CVE-2025-23707
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a …

Dec 31, 2025
CVE-2025-23705
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery zielke-design-project-gallery allows Reflected XSS.This issue affects Zielke …

Dec 31, 2025
CVE-2025-23667
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill custom-post-edit front-end-post-edit allows Reflected XSS.This issue affects custom-post-edit: from n/a through …

Dec 31, 2025
CVE-2025-66153
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Headinger for Elementor headinger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headinger for Elementor: from n/a through …

Dec 31, 2025
CVE-2025-66152
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Criptopayer for Elementor criptopayer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Criptopayer for Elementor: from n/a through …

Dec 31, 2025
CVE-2025-66151
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Countdowner for Elementor countdowner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Countdowner for Elementor: from n/a through …

Dec 31, 2025
CVE-2025-66150
5.4 MEDIUM

Missing Authorization vulnerability in merkulove Appender appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through <= 1.1.1.

Dec 31, 2025
CVE-2025-66149
5.4 MEDIUM

Missing Authorization vulnerability in merkulove UnGrabber ungrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through <= 3.1.3.

Dec 31, 2025
CVE-2025-34468
9.8 CRITICAL

libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied …

Dec 31, 2025
CVE-2025-34467
4.3 MEDIUM

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When …

Dec 31, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.