CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-57658
9.1 CRITICAL

Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.

Jun 26, 2026
CVE-2026-56070
9.3 CRITICAL

Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.

Jun 26, 2026
CVE-2026-56068
9.3 CRITICAL

Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.

Jun 26, 2026
CVE-2026-56067
9.3 CRITICAL

Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions.

Jun 26, 2026
CVE-2026-56062
9.3 CRITICAL

Unauthenticated SQL Injection in Quotes llama <= 3.1.5 versions.

Jun 26, 2026
CVE-2026-56059
9.9 CRITICAL

Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions.

Jun 26, 2026
CVE-2026-56058
9.9 CRITICAL

Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.

Jun 26, 2026
CVE-2026-56057
9.8 CRITICAL

Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions.

Jun 26, 2026
CVE-2026-56036
9.3 CRITICAL

Unauthenticated SQL Injection in 워드프레스 결제 심플페이 <= 5.5.6 versions.

Jun 26, 2026
CVE-2026-56034
9.3 CRITICAL

Unauthenticated SQL Injection in Library Management System <= 3.5.7 versions.

Jun 26, 2026
CVE-2026-56033
9.8 CRITICAL

Unauthenticated Privilege Escalation in Dokan Pro <= 5.0.4 versions.

Jun 26, 2026
CVE-2026-56032
9.8 CRITICAL

Subscriber PHP Object Injection in Buddyboss Platform <= 3.0.4 versions.

Jun 26, 2026
CVE-2026-56030
9.8 CRITICAL

Unauthenticated Privilege Escalation in Paytium <= 5.0.2 versions.

Jun 26, 2026
CVE-2026-56028
9.8 CRITICAL

Unauthenticated Privilege Escalation in Easy Elements for Elementor &#8211; Addons &amp; Website Templates <= 1.4.9 versions.

Jun 26, 2026
CVE-2026-56027
9.9 CRITICAL

Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.

Jun 26, 2026
CVE-2026-54831
9.3 CRITICAL

Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions.

Jun 26, 2026
CVE-2026-54827
9.3 CRITICAL

Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions.

Jun 26, 2026
CVE-2026-54825
9.3 CRITICAL

Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.

Jun 26, 2026
CVE-2026-54820
9.3 CRITICAL

Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.

Jun 26, 2026
CVE-2025-64152
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from …

Jun 26, 2026
CVE-2025-55017
9.1 CRITICAL

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from …

Jun 26, 2026
CVE-2026-57881
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient length validation …

Jun 26, 2026
CVE-2026-57880
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in ssvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking …

Jun 26, 2026
CVE-2026-57879
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in ssvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking …

Jun 26, 2026
CVE-2026-57878
9.8 CRITICAL

An unauthenticated stack-based buffer overflow vulnerability exists in thttpd in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking …

Jun 26, 2026
CVE-2026-48930
9.8 CRITICAL

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This …

Jun 26, 2026
CVE-2026-40702
9.4 CRITICAL

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to …

Jun 25, 2026
CVE-2025-71338
10.0 CRITICAL

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized …

Jun 25, 2026
CVE-2025-71336
9.8 CRITICAL

Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute …

Jun 25, 2026
CVE-2025-71334
9.8 CRITICAL

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are …

Jun 25, 2026
CVE-2025-71333
9.8 CRITICAL

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal …

Jun 25, 2026
CVE-2025-71327
9.1 CRITICAL

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint …

Jun 25, 2026
CVE-2026-56445
9.1 CRITICAL

The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.

Jun 25, 2026
CVE-2026-7531
9.8 CRITICAL

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC …

Jun 25, 2026
CVE-2026-57700
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.

Jun 25, 2026
CVE-2026-56786
9.8 CRITICAL

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte …

Jun 25, 2026
CVE-2026-54917
10.0 CRITICAL

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg …

Jun 25, 2026
CVE-2026-54089
9.1 CRITICAL

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is …

Jun 25, 2026
CVE-2026-50549
9.8 CRITICAL

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a …

Jun 25, 2026
CVE-2026-50548
9.8 CRITICAL

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the …

Jun 25, 2026
CVE-2026-6094
9.1 CRITICAL

Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.

Jun 25, 2026
CVE-2026-54849
9.3 CRITICAL

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.

Jun 25, 2026
CVE-2026-54843
9.3 CRITICAL

Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.

Jun 25, 2026
CVE-2026-54836
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from …

Jun 25, 2026
CVE-2026-54823
9.9 CRITICAL

Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.

Jun 25, 2026
CVE-2026-41120
9.8 CRITICAL

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker …

Jun 25, 2026
CVE-2026-53260
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req(). syzbot reported a weird reqsk->rsk_refcnt underflow in __inet_csk_reqsk_queue_drop(). The captured …

Jun 25, 2026
CVE-2026-53247
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown mtk_free_dev() calls metadata_dst_free() which frees the …

Jun 25, 2026
CVE-2026-53246
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing When a listening SCTP server …

Jun 25, 2026
CVE-2026-53228
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header …

Jun 25, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.