CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-48315
9.3 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of …

Jun 30, 2026
CVE-2026-48313
9.3 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead …

Jun 30, 2026
CVE-2026-48286
10.0 CRITICAL

Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in …

Jun 30, 2026
CVE-2026-48283
10.0 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution …

Jun 30, 2026
CVE-2026-48282
10.0 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead …

Jun 30, 2026
CVE-2026-48281
10.0 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of …

Jun 30, 2026
CVE-2026-48277
10.0 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of …

Jun 30, 2026
CVE-2026-48276
10.0 CRITICAL

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution …

Jun 30, 2026
CVE-2026-14241
9.8 CRITICAL

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of …

Jun 30, 2026
CVE-2026-8655
9.8 CRITICAL

Multiple Memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and Denial of Service if NetScaler ADC is configured …

Jun 30, 2026
CVE-2026-8452
9.8 CRITICAL

Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and Denial of Service if the appliance is configured as a …

Jun 30, 2026
CVE-2026-6556
9.1 CRITICAL

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays …

Jun 30, 2026
CVE-2026-58116
9.8 CRITICAL

LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model …

Jun 30, 2026
CVE-2026-8402
9.8 CRITICAL

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. SYSGUARD 6001 allows …

Jun 30, 2026
CVE-2026-14162
9.8 CRITICAL

Hospital Queuing Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.

Jun 30, 2026
CVE-2026-13766
9.8 CRITICAL

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor …

Jun 30, 2026
CVE-2026-9711
9.8 CRITICAL

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress (full) is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up …

Jun 30, 2026
CVE-2026-12073
9.8 CRITICAL

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and …

Jun 30, 2026
CVE-2026-55276
9.1 CRITICAL

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. …

Jun 29, 2026
CVE-2026-53434
9.1 CRITICAL

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 …

Jun 29, 2026
CVE-2026-57498
9.6 CRITICAL

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) …

Jun 29, 2026
CVE-2026-39868
9.1 CRITICAL

This issue was addressed with improved input validation. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be …

Jun 29, 2026
CVE-2026-37637
9.1 CRITICAL

An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component

Jun 29, 2026
CVE-2026-13763
9.8 CRITICAL

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body …

Jun 29, 2026
CVE-2026-13762
9.8 CRITICAL

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via …

Jun 29, 2026
CVE-2026-56782
9.8 CRITICAL

Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is …

Jun 29, 2026
CVE-2026-11720
9.1 CRITICAL

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into …

Jun 29, 2026
CVE-2026-57331
9.9 CRITICAL

Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.

Jun 29, 2026
CVE-2026-56290
9.8 CRITICAL

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Jun 29, 2026
CVE-2026-49048
9.8 CRITICAL

The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string …

Jun 28, 2026
CVE-2026-58053
9.9 CRITICAL

Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: …

Jun 28, 2026
CVE-2026-12415
9.8 CRITICAL

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up …

Jun 27, 2026
CVE-2026-28701
9.8 CRITICAL

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Jun 26, 2026
CVE-2026-53576
10.0 CRITICAL

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path …

Jun 26, 2026
CVE-2026-49869
10.0 CRITICAL

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from …

Jun 26, 2026
CVE-2026-54352
9.6 CRITICAL

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, …

Jun 26, 2026
CVE-2026-54350
10.0 CRITICAL

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, …

Jun 26, 2026
CVE-2026-50137
9.4 CRITICAL

Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource …

Jun 26, 2026
CVE-2026-53309
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The local-vs-remote region comparison loop uses '<=' instead …

Jun 26, 2026
CVE-2026-52785
9.9 CRITICAL

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers …

Jun 26, 2026
CVE-2026-52782
9.9 CRITICAL

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access …

Jun 26, 2026
CVE-2026-52780
9.6 CRITICAL

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed …

Jun 26, 2026
CVE-2026-46386
9.9 CRITICAL

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined …

Jun 26, 2026
CVE-2026-33646
9.6 CRITICAL

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with …

Jun 26, 2026
CVE-2026-54636
9.0 CRITICAL

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku …

Jun 26, 2026
CVE-2026-45408
9.0 CRITICAL

Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git …

Jun 26, 2026
CVE-2026-45406
9.0 CRITICAL

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then …

Jun 26, 2026
CVE-2026-45405
9.0 CRITICAL

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or …

Jun 26, 2026
CVE-2026-0685
9.8 CRITICAL

Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution …

Jun 26, 2026
CVE-2025-11919
9.6 CRITICAL

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file …

Jun 26, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.