CVE Database

108224+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-50742
5.4 MEDIUM

A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` and `maintenance-banners-check.php` tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without …

Jun 26, 2026
CVE-2026-50741
8.8 HIGH

Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by …

Jun 26, 2026
CVE-2026-50740
5.4 MEDIUM

A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh …

Jun 26, 2026
CVE-2026-50739
4.3 MEDIUM

A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the …

Jun 26, 2026
CVE-2026-48936
3.3 LOW

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This …

Jun 26, 2026
CVE-2026-48935
3.3 LOW

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. …

Jun 26, 2026
CVE-2026-48934
4.3 MEDIUM

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js …

Jun 26, 2026
CVE-2026-48933
7.5 HIGH

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported …

Jun 26, 2026
CVE-2026-48930
9.8 CRITICAL

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This …

Jun 26, 2026
CVE-2026-48928
5.4 MEDIUM

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js …

Jun 26, 2026
CVE-2026-48619
7.5 HIGH

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory …

Jun 26, 2026
CVE-2026-48618
6.5 MEDIUM

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and …

Jun 26, 2026
CVE-2026-48615
7.5 HIGH

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, …

Jun 26, 2026
CVE-2026-13226
6.5 MEDIUM

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up …

Jun 26, 2026
CVE-2026-9222
8.1 HIGH

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow …

Jun 26, 2026
CVE-2026-9221
7.5 HIGH

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and …

Jun 26, 2026
CVE-2026-9220
7.5 HIGH

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. …

Jun 26, 2026
CVE-2026-9219
6.5 MEDIUM

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. …

Jun 26, 2026
CVE-2026-43920

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, …

Jun 26, 2026
CVE-2026-13322
3.8 LOW

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character …

Jun 26, 2026
CVE-2026-13318
6.4 MEDIUM

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the …

Jun 26, 2026
CVE-2026-13218
4.2 MEDIUM

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink …

Jun 26, 2026
CVE-2026-13083
6.9 MEDIUM

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with …

Jun 26, 2026
CVE-2026-12993
6.5 MEDIUM

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. …

Jun 26, 2026
CVE-2026-40941
6.5 MEDIUM

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed …

Jun 25, 2026
CVE-2026-40084
6.5 MEDIUM

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing …

Jun 25, 2026
CVE-2026-40083
7.2 HIGH

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 …

Jun 25, 2026
CVE-2026-40082
5.4 MEDIUM

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is …

Jun 25, 2026
CVE-2026-40080
6.1 MEDIUM

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than …

Jun 25, 2026
CVE-2026-8720
7.5 HIGH

wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the …

Jun 25, 2026
CVE-2026-7532
7.5 HIGH

iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an …

Jun 25, 2026
CVE-2026-7511
7.5 HIGH

PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.

Jun 25, 2026
CVE-2026-6331
7.5 HIGH

HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the …

Jun 25, 2026
CVE-2026-6330
6.5 MEDIUM

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code …

Jun 25, 2026
CVE-2026-6329
6.5 MEDIUM

PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and allowing a mismatched MAC to be accepted. The PKCS#12 …

Jun 25, 2026
CVE-2026-6325
7.5 HIGH

Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.

Jun 25, 2026
CVE-2026-6092
5.3 MEDIUM

When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.

Jun 25, 2026
CVE-2026-55962
6.5 MEDIUM

TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The …

Jun 25, 2026
CVE-2026-54479
7.3 HIGH

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results …

Jun 25, 2026
CVE-2026-50176
7.5 HIGH

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service …

Jun 25, 2026
CVE-2026-44622
6.5 MEDIUM

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Jun 25, 2026
CVE-2026-40702
9.4 CRITICAL

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to …

Jun 25, 2026
CVE-2026-22879
8.1 HIGH

vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability

Jun 25, 2026
CVE-2026-13283
7.5 HIGH

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific …

Jun 25, 2026
CVE-2026-13282
6.8 MEDIUM

Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access …

Jun 25, 2026
CVE-2026-13281
8.3 HIGH

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox …

Jun 25, 2026
CVE-2026-12992
7.4 HIGH

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to …

Jun 25, 2026
CVE-2026-12975
8.5 HIGH

A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker …

Jun 25, 2026
CVE-2026-11800
8.1 HIGH

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to …

Jun 25, 2026
CVE-2026-11703
7.5 HIGH

Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a …

Jun 25, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.