CVE Database

36368+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-53435
8.8 HIGH

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or …

Jun 10, 2026
CVE-2026-52758
8.8 HIGH

Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote …

Jun 10, 2026
CVE-2026-52755
7.8 HIGH

Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers …

Jun 10, 2026
CVE-2026-52754
8.8 HIGH

Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate() that allows any user with a valid CA-signed certificate to impersonate other users by presenting …

Jun 10, 2026
CVE-2026-52752
7.8 HIGH

Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious …

Jun 10, 2026
CVE-2026-52751
8.8 HIGH

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious …

Jun 10, 2026
CVE-2026-52750
7.8 HIGH

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary …

Jun 10, 2026
CVE-2026-49498
8.8 HIGH

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into …

Jun 10, 2026
CVE-2026-49069
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS. This issue affects WPZOOM Portfolio: from n/a through …

Jun 10, 2026
CVE-2025-71330
7.5 HIGH

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted …

Jun 10, 2026
CVE-2025-71329
7.5 HIGH

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted …

Jun 10, 2026
CVE-2026-24067
8.4 HIGH

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by …

Jun 10, 2026
CVE-2026-24066
8.4 HIGH

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by …

Jun 10, 2026
CVE-2026-3018
7.5 HIGH

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to …

Jun 10, 2026
CVE-2026-8071
8.8 HIGH

The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing …

Jun 10, 2026
CVE-2026-3326
8.6 HIGH

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action …

Jun 10, 2026
CVE-2026-11837
7.3 HIGH

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without …

Jun 10, 2026
CVE-2026-26239
8.1 HIGH

A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the …

Jun 10, 2026
CVE-2026-26237
7.5 HIGH

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized …

Jun 10, 2026
CVE-2026-24724
8.1 HIGH

An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the …

Jun 10, 2026
CVE-2026-24719
7.2 HIGH

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then …

Jun 10, 2026
CVE-2026-24716
7.2 HIGH

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can …

Jun 10, 2026
CVE-2026-22893
7.2 HIGH

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then …

Jun 10, 2026
CVE-2025-66281
7.2 HIGH

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch …

Jun 10, 2026
CVE-2025-66280
7.2 HIGH

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they …

Jun 10, 2026
CVE-2025-66279
7.2 HIGH

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then …

Jun 10, 2026
CVE-2025-66273
7.2 HIGH

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then …

Jun 10, 2026
CVE-2025-62850
7.2 HIGH

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can …

Jun 10, 2026
CVE-2026-45542
7.1 HIGH

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the …

Jun 10, 2026
CVE-2026-45541
7.5 HIGH

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket …

Jun 10, 2026
CVE-2026-45329
7.1 HIGH

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, several ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c validated only …

Jun 10, 2026
CVE-2026-53674
7.1 HIGH

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a …

Jun 10, 2026
CVE-2026-53673
8.1 HIGH

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by …

Jun 10, 2026
CVE-2026-46545
7.5 HIGH

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability …

Jun 10, 2026
CVE-2026-46541
7.5 HIGH

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator …

Jun 10, 2026
CVE-2026-46518
7.7 HIGH

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in …

Jun 10, 2026
CVE-2026-46517
7.8 HIGH

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user …

Jun 10, 2026
CVE-2026-46491
8.6 HIGH

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths …

Jun 10, 2026
CVE-2026-46432
7.8 HIGH

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through …

Jun 10, 2026
CVE-2026-44716
7.5 HIGH

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability …

Jun 10, 2026
CVE-2026-41732
8.1 HIGH

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty …

Jun 10, 2026
CVE-2026-41731
8.1 HIGH

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its …

Jun 10, 2026
CVE-2026-41729
8.1 HIGH

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed …

Jun 10, 2026
CVE-2026-41728
7.5 HIGH

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: …

Jun 10, 2026
CVE-2026-41717
8.1 HIGH

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is …

Jun 10, 2026
CVE-2026-41716
7.5 HIGH

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons …

Jun 10, 2026
CVE-2026-41695
7.5 HIGH

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path …

Jun 10, 2026
CVE-2026-41003
7.6 HIGH

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: …

Jun 10, 2026
CVE-2026-40993
7.3 HIGH

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing …

Jun 10, 2026
CVE-2026-40988
7.5 HIGH

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of …

Jun 10, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.