CVE Database

108042+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-49417
7.0 HIGH

Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could …

Jun 27, 2026
CVE-2026-49413
7.1 HIGH

The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at …

Jun 27, 2026
CVE-2026-49412
7.8 HIGH

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window …

Jun 27, 2026
CVE-2026-45259
6.5 MEDIUM

sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability …

Jun 27, 2026
CVE-2026-45258
7.8 HIGH

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that …

Jun 27, 2026
CVE-2026-9242
5.3 MEDIUM

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data …

Jun 27, 2026
CVE-2026-9233
4.3 MEDIUM

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, …

Jun 27, 2026
CVE-2026-3462
6.5 MEDIUM

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in …

Jun 27, 2026
CVE-2026-13295
6.4 MEDIUM

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 …

Jun 27, 2026
CVE-2026-12471
4.3 MEDIUM

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, …

Jun 27, 2026
CVE-2026-12432
5.3 MEDIUM

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. …

Jun 27, 2026
CVE-2026-12399
4.4 MEDIUM

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions …

Jun 27, 2026
CVE-2026-11987
4.3 MEDIUM

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference …

Jun 27, 2026
CVE-2026-11783
6.4 MEDIUM

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via …

Jun 27, 2026
CVE-2026-11773
4.3 MEDIUM

The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, …

Jun 27, 2026
CVE-2026-11597
6.4 MEDIUM

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. …

Jun 27, 2026
CVE-2026-11364
4.3 MEDIUM

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. …

Jun 27, 2026
CVE-2026-9677
4.8 MEDIUM

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML …

Jun 27, 2026
CVE-2026-13245
6.1 MEDIUM

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, …

Jun 27, 2026
CVE-2026-12404
5.3 MEDIUM

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This …

Jun 27, 2026
CVE-2026-10820
8.1 HIGH

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user …

Jun 27, 2026
CVE-2026-12415
9.8 CRITICAL

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up …

Jun 27, 2026
CVE-2026-13422
4.3 MEDIUM

The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce …

Jun 27, 2026
CVE-2026-13335
6.4 MEDIUM

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, …

Jun 27, 2026
CVE-2026-13333
6.5 MEDIUM

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, …

Jun 27, 2026
CVE-2026-13331
6.5 MEDIUM

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up …

Jun 27, 2026
CVE-2026-11356
4.4 MEDIUM

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up …

Jun 27, 2026
CVE-2025-59868
5.5 MEDIUM

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then …

Jun 27, 2026
CVE-2023-37524
7.7 HIGH

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Since .NET Framework 4.5 has reached …

Jun 27, 2026
CVE-2026-56414
7.2 HIGH

A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating …

Jun 26, 2026
CVE-2026-55975
7.2 HIGH

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which …

Jun 26, 2026
CVE-2026-33560
7.1 HIGH

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without …

Jun 26, 2026
CVE-2026-31928
8.1 HIGH

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration …

Jun 26, 2026
CVE-2026-28701
9.8 CRITICAL

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Jun 26, 2026
CVE-2026-55069
8.7 HIGH

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. …

Jun 26, 2026
CVE-2026-53577
6.5 MEDIUM

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any …

Jun 26, 2026
CVE-2026-53576
10.0 CRITICAL

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path …

Jun 26, 2026
CVE-2026-50767
5.4 MEDIUM

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote …

Jun 26, 2026
CVE-2026-50766
5.4 MEDIUM

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote …

Jun 26, 2026
CVE-2026-50765
6.1 MEDIUM

A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated …

Jun 26, 2026
CVE-2026-49984
7.7 HIGH

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts …

Jun 26, 2026
CVE-2026-49869
10.0 CRITICAL

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from …

Jun 26, 2026
CVE-2026-45807
7.7 HIGH

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass …

Jun 26, 2026
CVE-2026-38571
4.6 MEDIUM

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda …

Jun 26, 2026
CVE-2026-36908
5.5 MEDIUM

A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Jun 26, 2026
CVE-2026-36907
5.5 MEDIUM

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Jun 26, 2026
CVE-2026-36478
7.5 HIGH

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Jun 26, 2026
CVE-2026-54353
8.5 HIGH

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch …

Jun 26, 2026
CVE-2026-54352
9.6 CRITICAL

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, …

Jun 26, 2026
CVE-2026-54351
8.2 HIGH

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body …

Jun 26, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.