CVE Database

36368+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-49942
7.3 HIGH

Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the …

Jun 4, 2026
CVE-2026-49941
7.5 HIGH

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did …

Jun 4, 2026
CVE-2026-46741
7.5 HIGH

Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from …

Jun 4, 2026
CVE-2026-5228
8.8 HIGH

Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp …

Jun 4, 2026
CVE-2026-44393
7.4 HIGH

An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message …

Jun 4, 2026
CVE-2026-43985
8.8 HIGH

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but …

Jun 4, 2026
CVE-2026-43984
8.9 HIGH

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest …

Jun 4, 2026
CVE-2026-38570
7.5 HIGH

bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service.

Jun 4, 2026
CVE-2026-36176
7.1 HIGH

GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to …

Jun 4, 2026
CVE-2026-28318
7.5 HIGH KEV

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure …

Jun 4, 2026
CVE-2026-10863
8.1 HIGH

A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an …

Jun 4, 2026
CVE-2025-59874
8.1 HIGH

HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing …

Jun 4, 2026
CVE-2025-46638
7.5 HIGH

Dell BSAFE SSL-J contains an allocation of resources without limits or throttling vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to a …

Jun 4, 2026
CVE-2019-25745
8.2 HIGH

WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code …

Jun 4, 2026
CVE-2019-25736
8.4 HIGH

LabF nfsAxe 3.7 Ping Client contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the …

Jun 4, 2026
CVE-2019-25735
8.4 HIGH

AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long …

Jun 4, 2026
CVE-2019-25733
8.4 HIGH

NetShareWatcher 1.5.8.0 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input. Attackers can craft …

Jun 4, 2026
CVE-2019-25732
8.2 HIGH

PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search …

Jun 4, 2026
CVE-2019-25730
8.2 HIGH

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id …

Jun 4, 2026
CVE-2019-25728
8.2 HIGH

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject …

Jun 4, 2026
CVE-2019-25726
8.2 HIGH

All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through …

Jun 4, 2026
CVE-2026-10843
7.2 HIGH

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions …

Jun 4, 2026
CVE-2026-10840
7.1 HIGH

A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via …

Jun 4, 2026
CVE-2025-52612
7.1 HIGH

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an …

Jun 4, 2026
CVE-2026-49771
7.6 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue …

Jun 4, 2026
CVE-2026-50213
7.5 HIGH

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.

Jun 4, 2026
CVE-2026-50210
7.5 HIGH

The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.

Jun 4, 2026
CVE-2026-50209
7.8 HIGH

Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.

Jun 4, 2026
CVE-2026-50207
7.8 HIGH

The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.

Jun 4, 2026
CVE-2026-3820
7.2 HIGH

There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into …

Jun 4, 2026
CVE-2026-50205
8.2 HIGH

System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.

Jun 4, 2026
CVE-2026-49203
8.3 HIGH

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.

Jun 4, 2026
CVE-2026-49202
8.6 HIGH

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.

Jun 4, 2026
CVE-2026-49194
8.8 HIGH

The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.

Jun 4, 2026
CVE-2026-49193
7.5 HIGH

Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.

Jun 4, 2026
CVE-2026-49190
8.8 HIGH

The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.

Jun 4, 2026
CVE-2026-49189
7.8 HIGH

Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.

Jun 4, 2026
CVE-2026-49187
7.5 HIGH

The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.

Jun 4, 2026
CVE-2026-41010
8.2 HIGH

ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array …

Jun 4, 2026
CVE-2026-8829
7.5 HIGH

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV …

Jun 4, 2026
CVE-2026-41860
8.8 HIGH

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an …

Jun 4, 2026
CVE-2026-41859
7.8 HIGH

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with …

Jun 4, 2026
CVE-2026-41858
7.5 HIGH

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a …

Jun 4, 2026
CVE-2026-41011
8.2 HIGH

PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The …

Jun 4, 2026
CVE-2026-10737
7.5 HIGH

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in …

Jun 4, 2026
CVE-2026-10777
7.3 HIGH

A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component …

Jun 3, 2026
CVE-2026-10771
7.3 HIGH

A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation …

Jun 3, 2026
CVE-2026-50033
7.3 HIGH

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

Jun 3, 2026
CVE-2026-44682
7.3 HIGH

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

Jun 3, 2026
CVE-2026-44609
7.3 HIGH

Local privilege escalation due to EXE hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

Jun 3, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.