CVE Database

36368+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-9851
7.2 HIGH

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to …

Jun 6, 2026
CVE-2026-7537
7.2 HIGH

The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. …

Jun 6, 2026
CVE-2026-8901
7.2 HIGH

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form …

Jun 6, 2026
CVE-2026-8438
7.2 HIGH

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This …

Jun 6, 2026
CVE-2026-9290
7.5 HIGH

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and …

Jun 6, 2026
CVE-2026-7654
8.8 HIGH

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This …

Jun 5, 2026
CVE-2026-11416
8.1 HIGH

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating …

Jun 5, 2026
CVE-2026-36785
7.5 HIGH

Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the page parameter of the fromDhcpListClient function. This vulnerability …

Jun 5, 2026
CVE-2026-11422
7.1 HIGH

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript …

Jun 5, 2026
CVE-2026-46493
7.5 HIGH

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 …

Jun 5, 2026
CVE-2026-45300
7.4 HIGH

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 …

Jun 5, 2026
CVE-2026-11401
8.0 HIGH

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor …

Jun 5, 2026
CVE-2026-11400
8.0 HIGH

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor …

Jun 5, 2026
CVE-2026-5415
8.8 HIGH

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication …

Jun 5, 2026
CVE-2026-5411
8.8 HIGH

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary …

Jun 5, 2026
CVE-2026-46392
8.7 HIGH

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions …

Jun 5, 2026
CVE-2026-50733
8.8 HIGH

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path …

Jun 5, 2026
CVE-2026-49493
8.8 HIGH

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. …

Jun 5, 2026
CVE-2026-49492
8.8 HIGH

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the …

Jun 5, 2026
CVE-2026-45749
8.1 HIGH

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior …

Jun 5, 2026
CVE-2026-45745
8.0 HIGH

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate …

Jun 5, 2026
CVE-2026-45743
8.1 HIGH

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do …

Jun 5, 2026
CVE-2026-45327
8.2 HIGH

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version …

Jun 5, 2026
CVE-2026-45291
7.5 HIGH

Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260418.124334-32` impacts publicly accessible software depending on the affected versions …

Jun 5, 2026
CVE-2026-45290
7.5 HIGH

Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260417.085727-30` impacts publicly accessible software depending on the affected versions …

Jun 5, 2026
CVE-2026-36501
7.5 HIGH

An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Jun 5, 2026
CVE-2026-11344
7.3 HIGH

A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration …

Jun 5, 2026
CVE-2026-11342
7.3 HIGH

A vulnerability has been found in code-projects Hotel and Tourism Reservation System 1.0. This affects an unknown function of the file /details.php. Such manipulation of …

Jun 5, 2026
CVE-2025-5088
8.3 HIGH

An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an …

Jun 5, 2026
CVE-2026-48095
8.8 HIGH

7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in …

Jun 5, 2026
CVE-2026-11334
7.3 HIGH

A vulnerability was detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This affects an unknown function of the file dashboard_page/forms/fetch.php. Performing a manipulation of the argument department_code results …

Jun 5, 2026
CVE-2026-50234
7.5 HIGH

Lyrion Music Server 9.2.0 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting directory traversal in the web server …

Jun 5, 2026
CVE-2026-50232
7.2 HIGH

Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, …

Jun 5, 2026
CVE-2026-50231
7.2 HIGH

Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in the log viewer that allows attackers to inject malicious scripts by exploiting unescaped …

Jun 5, 2026
CVE-2026-50264
7.8 HIGH

An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft …

Jun 5, 2026
CVE-2026-50261
7.8 HIGH

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free …

Jun 5, 2026
CVE-2026-50260
7.8 HIGH

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those …

Jun 5, 2026
CVE-2026-50259
7.8 HIGH

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type …

Jun 5, 2026
CVE-2026-50258
7.8 HIGH

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups …

Jun 5, 2026
CVE-2026-50257
7.8 HIGH

A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a …

Jun 5, 2026
CVE-2026-50256
7.8 HIGH

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum …

Jun 5, 2026
CVE-2026-21033
7.1 HIGH

Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script.

Jun 5, 2026
CVE-2026-21032
7.1 HIGH

Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script.

Jun 5, 2026
CVE-2026-21031
7.8 HIGH

Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability.

Jun 5, 2026
CVE-2026-21030
7.8 HIGH

Improper access control in MediaTek Audio HAL prior to SMR Jun-2026 Release 1 allows local attackers to trigger privileged functions.

Jun 5, 2026
CVE-2026-21029
7.8 HIGH

Improper export of android application components in Galaxy Editing Service prior to SMR Jun-2026 Release 1 allows local attacker to execute privileged operations.

Jun 5, 2026
CVE-2026-11332
7.8 HIGH

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument …

Jun 5, 2026
CVE-2026-21837
8.8 HIGH

HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, …

Jun 5, 2026
CVE-2026-50593
7.3 HIGH

Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the …

Jun 5, 2026
CVE-2026-41567
7.2 HIGH

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded …

Jun 5, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.