CVE Database

36368+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-53782
7.4 HIGH

Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript …

Jun 11, 2026
CVE-2026-46622
8.1 HIGH

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in …

Jun 11, 2026
CVE-2026-46489
8.1 HIGH

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can …

Jun 11, 2026
CVE-2026-52860
7.8 HIGH

Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current …

Jun 11, 2026
CVE-2026-52859
8.2 HIGH

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the …

Jun 11, 2026
CVE-2026-52858
7.8 HIGH

Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter …

Jun 11, 2026
CVE-2026-48547
7.3 HIGH

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the …

Jun 11, 2026
CVE-2026-47170
7.7 HIGH

Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the …

Jun 11, 2026
CVE-2026-47162
8.8 HIGH

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin …

Jun 11, 2026
CVE-2026-46519
8.8 HIGH

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as …

Jun 11, 2026
CVE-2026-11774
7.6 HIGH

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet …

Jun 11, 2026
CVE-2025-46315
7.5 HIGH

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user …

Jun 11, 2026
CVE-2025-31272
7.8 HIGH

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections …

Jun 11, 2026
CVE-2025-24284
8.8 HIGH

This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Sequoia 15.4. An app may be able to …

Jun 11, 2026
CVE-2026-48546
7.3 HIGH

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require …

Jun 11, 2026
CVE-2026-46697
7.5 HIGH

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true …

Jun 11, 2026
CVE-2026-49982
8.2 HIGH

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain …

Jun 11, 2026
CVE-2026-44705
8.2 HIGH

tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping …

Jun 11, 2026
CVE-2026-44496
7.5 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the …

Jun 11, 2026
CVE-2026-44495
7.0 HIGH

Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request …

Jun 11, 2026
CVE-2026-44494
8.7 HIGH

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype …

Jun 11, 2026
CVE-2026-44492
8.6 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When …

Jun 11, 2026
CVE-2026-44488
7.5 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size …

Jun 11, 2026
CVE-2026-44487
7.5 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization …

Jun 11, 2026
CVE-2026-44486
7.5 HIGH

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials …

Jun 11, 2026
CVE-2026-7870
8.8 HIGH

IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could …

Jun 11, 2026
CVE-2026-7787
7.5 HIGH

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.

Jun 11, 2026
CVE-2026-53777
8.1 HIGH

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running …

Jun 11, 2026
CVE-2026-11816
8.1 HIGH

Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` …

Jun 11, 2026
CVE-2026-10847
7.8 HIGH

A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS. An authenticated local user may be able to execute arbitrary …

Jun 11, 2026
CVE-2026-8589
7.3 HIGH

GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain …

Jun 11, 2026
CVE-2026-7250
7.5 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain …

Jun 11, 2026
CVE-2026-6552
8.7 HIGH

GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain …

Jun 11, 2026
CVE-2026-10087
8.7 HIGH

GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain …

Jun 11, 2026
CVE-2026-5497
7.5 HIGH

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` …

Jun 11, 2026
CVE-2023-33999
7.1 HIGH

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: …

Jun 11, 2026
CVE-2026-41856
7.5 HIGH

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue …

Jun 11, 2026
CVE-2026-41700
8.1 HIGH

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting …

Jun 11, 2026
CVE-2026-41699
8.1 HIGH

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead …

Jun 11, 2026
CVE-2026-40999
8.6 HIGH

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from …

Jun 11, 2026
CVE-2026-40998
8.2 HIGH

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of …

Jun 11, 2026
CVE-2026-40994
8.2 HIGH

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on …

Jun 11, 2026
CVE-2026-40987
7.1 HIGH

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring …

Jun 11, 2026
CVE-2026-10795
8.1 HIGH

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the …

Jun 11, 2026
CVE-2026-53461
7.5 HIGH

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON …

Jun 10, 2026
CVE-2026-53460
7.5 HIGH

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory …

Jun 10, 2026
CVE-2026-52726
7.5 HIGH

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension …

Jun 10, 2026
CVE-2026-50223
8.8 HIGH

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection …

Jun 10, 2026
CVE-2026-49218
7.5 HIGH

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM …

Jun 10, 2026
CVE-2026-47342
8.8 HIGH

A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are …

Jun 10, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.