CVE Database

108224+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-64636
5.3 MEDIUM

Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.

Jun 26, 2026
CVE-2025-63079
4.3 MEDIUM

Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.

Jun 26, 2026
CVE-2025-63078
4.3 MEDIUM

Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.

Jun 26, 2026
CVE-2025-63041
5.4 MEDIUM

Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.

Jun 26, 2026
CVE-2026-57940

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to …

Jun 26, 2026
CVE-2026-57926
2.6 LOW

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

Jun 26, 2026
CVE-2026-57925
4.3 MEDIUM

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags

Jun 26, 2026
CVE-2026-57924
4.3 MEDIUM

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details

Jun 26, 2026
CVE-2026-57923
5.3 MEDIUM

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

Jun 26, 2026
CVE-2026-57922
3.1 LOW

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible

Jun 26, 2026
CVE-2026-57921
4.3 MEDIUM

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint

Jun 26, 2026
CVE-2026-53914
6.7 MEDIUM

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

Jun 26, 2026
CVE-2026-13426
5.4 MEDIUM

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API …

Jun 26, 2026
CVE-2026-57920
7.7 HIGH

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.

Jun 26, 2026
CVE-2026-57915
7.3 HIGH

It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended …

Jun 26, 2026
CVE-2026-40711
8.0 HIGH

Dell Dell Container Storage Modules, version(s) csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, csi-powermax v2.16.0, contain(s) an Improper Neutralization of Special Elements used in an OS …

Jun 26, 2026
CVE-2025-64152
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from …

Jun 26, 2026
CVE-2025-55017
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from …

Jun 26, 2026
CVE-2026-57914
6.5 MEDIUM

By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to …

Jun 26, 2026
CVE-2026-57620
6.5 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons …

Jun 26, 2026
CVE-2026-57918
7.1 HIGH

libnfs through 6.0.2 before 935b8db has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when …

Jun 26, 2026
CVE-2026-57913
7.5 HIGH

Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts.

Jun 26, 2026
CVE-2026-57912
7.5 HIGH

Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers.

Jun 26, 2026
CVE-2026-57473

A vulnerability exists in the netclient and factory services of Reolink Home Hub (versions prior to v3.3.0.456_26031911) due to the possibility of brute-force cracking the …

Jun 26, 2026
CVE-2026-13325
8.5 HIGH

A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain …

Jun 26, 2026
CVE-2025-7958

A Code Injection vulnerability existed in Trellix Network Security CM and NX. A locally authenticated admin user can execute arbitrary code using the web interface …

Jun 26, 2026
CVE-2026-6658
5.4 MEDIUM

A vulnerability in jupyter/nbconvert versions <= 7.17.0 allows for Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders …

Jun 26, 2026
CVE-2026-1869
6.5 MEDIUM

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is …

Jun 26, 2026
CVE-2026-11702
7.5 HIGH

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the …

Jun 26, 2026
CVE-2026-11625
7.5 HIGH

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes. When an object is initialised before forking, or when the functional interface is …

Jun 26, 2026
CVE-2026-57881
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient length validation …

Jun 26, 2026
CVE-2026-57880
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in ssvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking …

Jun 26, 2026
CVE-2026-57879
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in ssvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking …

Jun 26, 2026
CVE-2026-57878
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in thttpd in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking …

Jun 26, 2026
CVE-2026-57877
8.6 HIGH

An unauthenticated format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling of externally …

Jun 26, 2026
CVE-2026-57876
7.5 HIGH

An unauthenticated out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when …

Jun 26, 2026
CVE-2026-57875
7.5 HIGH

An unauthenticated NULL pointer dereference vulnerability exists in the HTTP request parsing logic of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. …

Jun 26, 2026
CVE-2026-57874
7.5 HIGH

An unauthenticated buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when …

Jun 26, 2026
CVE-2026-57873
7.5 HIGH

An unauthenticated NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of …

Jun 26, 2026
CVE-2026-57872
7.5 HIGH

An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied …

Jun 26, 2026
CVE-2026-49486
7.5 HIGH

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was …

Jun 26, 2026
CVE-2026-2053
8.3 HIGH

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows …

Jun 26, 2026
CVE-2026-8380
6.5 MEDIUM

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with …

Jun 26, 2026
CVE-2026-10835
7.7 HIGH

The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using …

Jun 26, 2026
CVE-2026-10823
7.5 HIGH

The YMC Filter WordPress plugin before 3.11.3 does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied …

Jun 26, 2026
CVE-2025-10268
5.3 MEDIUM

The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker …

Jun 26, 2026
CVE-2026-8797

An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed …

Jun 26, 2026
CVE-2026-8661
4.8 MEDIUM

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote …

Jun 26, 2026
CVE-2026-50745
6.1 MEDIUM

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, …

Jun 26, 2026
CVE-2026-50744
4.3 MEDIUM

A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID …

Jun 26, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.