CVE Database

36368+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-46527
7.5 HIGH

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an …

May 29, 2026
CVE-2026-44422
7.5 HIGH

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple …

May 29, 2026
CVE-2026-44421
8.8 HIGH

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP …

May 29, 2026
CVE-2026-44420
8.8 HIGH

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side …

May 29, 2026
CVE-2026-44285
7.7 HIGH

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress …

May 29, 2026
CVE-2026-49374
7.6 HIGH

In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters

May 29, 2026
CVE-2026-49373
7.1 HIGH

In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings

May 29, 2026
CVE-2026-49372
7.5 HIGH

In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible

May 29, 2026
CVE-2026-49371
7.1 HIGH

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible

May 29, 2026
CVE-2026-49368
8.7 HIGH

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible

May 29, 2026
CVE-2026-49367
8.0 HIGH

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account

May 29, 2026
CVE-2026-49366
7.8 HIGH

In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion

May 29, 2026
CVE-2026-47740
8.1 HIGH

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by …

May 29, 2026
CVE-2026-46372
8.5 HIGH

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. …

May 29, 2026
CVE-2026-44648
7.5 HIGH

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. …

May 29, 2026
CVE-2026-42941
8.3 HIGH

The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change.

May 29, 2026
CVE-2026-42929
8.3 HIGH

Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials.

May 29, 2026
CVE-2026-6824
8.4 HIGH

A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers …

May 29, 2026
CVE-2026-5768
8.8 HIGH

The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range …

May 29, 2026
CVE-2026-47179
7.7 HIGH

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive …

May 29, 2026
CVE-2026-47125
8.8 HIGH

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file …

May 29, 2026
CVE-2026-45627
8.2 HIGH

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query …

May 29, 2026
CVE-2026-44697
8.6 HIGH

Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that …

May 29, 2026
CVE-2026-10108
7.5 HIGH

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music …

May 29, 2026
CVE-2026-10107
7.7 HIGH

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token …

May 29, 2026
CVE-2026-10105
8.3 HIGH

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata …

May 29, 2026
CVE-2026-48501
7.4 HIGH

GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors …

May 29, 2026
CVE-2026-45662
8.8 HIGH

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without …

May 29, 2026
CVE-2026-39276
7.2 HIGH

The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious …

May 29, 2026
CVE-2026-35674
8.8 HIGH

OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope …

May 29, 2026
CVE-2026-35630
8.0 HIGH

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval …

May 29, 2026
CVE-2026-32905
8.3 HIGH

OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without …

May 29, 2026
CVE-2026-10069
7.5 HIGH

A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource …

May 29, 2026
CVE-2026-10068
7.3 HIGH

A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call …

May 29, 2026
CVE-2026-10067
8.8 HIGH

A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The …

May 29, 2026
CVE-2026-10066
8.8 HIGH

A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component …

May 29, 2026
CVE-2026-10065
8.8 HIGH

A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument …

May 29, 2026
CVE-2018-25404
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25403
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25402
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25401
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25400
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25399
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25398
8.2 HIGH

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

May 29, 2026
CVE-2018-25396
7.5 HIGH

Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request …

May 29, 2026
CVE-2018-25395
8.2 HIGH

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter …

May 29, 2026
CVE-2018-25394
8.2 HIGH

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter …

May 29, 2026
CVE-2018-25392
7.1 HIGH

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters …

May 29, 2026
CVE-2018-25391
7.5 HIGH

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that …

May 29, 2026
CVE-2018-25390
8.2 HIGH

HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter …

May 29, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.