CVE Database

108224+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-54194
9.8 CRITICAL

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.

Jun 17, 2026
CVE-2026-54192
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.

Jun 17, 2026
CVE-2026-54189
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.

Jun 17, 2026
CVE-2026-54188
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.

Jun 17, 2026
CVE-2026-54187
9.3 CRITICAL

Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.

Jun 17, 2026
CVE-2026-54186
9.3 CRITICAL

Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.

Jun 17, 2026
CVE-2026-54185
8.5 HIGH

Subscriber SQL Injection in Cornerstone < 7.8.8 versions.

Jun 17, 2026
CVE-2026-54184
8.2 HIGH

Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions.

Jun 17, 2026
CVE-2026-53876
7.2 HIGH

RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by …

Jun 17, 2026
CVE-2026-52706
9.8 CRITICAL

Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.

Jun 17, 2026
CVE-2026-52705
9.0 CRITICAL

Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.

Jun 17, 2026
CVE-2026-52698
7.4 HIGH

Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation &amp; Chat Widget <= 4.2.3 versions.

Jun 17, 2026
CVE-2026-52696
7.5 HIGH

Unauthenticated Sensitive Data Exposure in JetBlog <= 2.4.8 versions.

Jun 17, 2026
CVE-2026-50203
9.1 CRITICAL

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination …

Jun 17, 2026
CVE-2026-49778
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.

Jun 17, 2026
CVE-2026-49767
9.8 CRITICAL

Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.

Jun 17, 2026
CVE-2026-49113
8.5 HIGH

Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.

Jun 17, 2026
CVE-2026-49107
9.8 CRITICAL

Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.

Jun 17, 2026
CVE-2026-49084
9.3 CRITICAL

Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.

Jun 17, 2026
CVE-2026-49081
8.2 HIGH

Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.

Jun 17, 2026
CVE-2026-49080
9.3 CRITICAL

Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.

Jun 17, 2026
CVE-2026-49079
9.3 CRITICAL

Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.

Jun 17, 2026
CVE-2026-49076
9.3 CRITICAL

Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.

Jun 17, 2026
CVE-2026-49075
9.8 CRITICAL

Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.

Jun 17, 2026
CVE-2026-49074
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.

Jun 17, 2026
CVE-2026-49073
8.5 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist …

Jun 17, 2026
CVE-2026-49072
6.5 MEDIUM

Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.

Jun 17, 2026
CVE-2026-49071
6.5 MEDIUM

Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.

Jun 17, 2026
CVE-2026-49058
9.8 CRITICAL

Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.

Jun 17, 2026
CVE-2026-49057
7.5 HIGH

Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.

Jun 17, 2026
CVE-2026-48967
8.5 HIGH

Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.

Jun 17, 2026
CVE-2026-48929
7.5 HIGH

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any …

Jun 17, 2026
CVE-2026-48875
9.3 CRITICAL

Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.

Jun 17, 2026
CVE-2026-48869
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.

Jun 17, 2026
CVE-2026-48797

Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes …

Jun 17, 2026
CVE-2026-48788
8.2 HIGH

Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site …

Jun 17, 2026
CVE-2026-48783
4.8 MEDIUM

Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side …

Jun 17, 2026
CVE-2026-48782
6.8 MEDIUM

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata …

Jun 17, 2026
CVE-2026-48781
9.9 CRITICAL

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape …

Jun 17, 2026
CVE-2026-48779
7.5 HIGH

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to …

Jun 17, 2026
CVE-2026-48745
9.3 CRITICAL

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, …

Jun 17, 2026
CVE-2026-48616
9.3 CRITICAL

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat …

Jun 17, 2026
CVE-2026-48055
10.0 CRITICAL

Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was …

Jun 17, 2026
CVE-2026-47340
6.5 MEDIUM

Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache …

Jun 17, 2026
CVE-2026-47277
6.5 MEDIUM

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated …

Jun 17, 2026
CVE-2026-45436
6.5 MEDIUM

Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions.

Jun 17, 2026
CVE-2026-44587
4.7 MEDIUM

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters …

Jun 17, 2026
CVE-2026-42629
8.8 HIGH

Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.

Jun 17, 2026
CVE-2026-42385
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.

Jun 17, 2026
CVE-2026-42380
9.8 CRITICAL

Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.

Jun 17, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.