CVE Database

9215+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-52931
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: batman-adv: tp_meter: avoid use of uninit sender vars batadv_tp_recv_ack() and batadv_tp_stop() are only valid for …

Jun 24, 2026
CVE-2026-52924
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: sctp: purge outqueue on stale COOKIE-ECHO handling sctp_stream_update() is only invoked when the association is …

Jun 24, 2026
CVE-2026-52914
9.8 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix fragment reassembly length accounting batman-adv keeps a running payload length for queued fragments …

Jun 24, 2026
CVE-2026-12417
9.8 CRITICAL

The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, …

Jun 24, 2026
CVE-2026-12416
9.8 CRITICAL

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due …

Jun 24, 2026
CVE-2026-48768
9.3 CRITICAL

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object …

Jun 18, 2026
CVE-2026-54388
9.1 CRITICAL

Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend …

Jun 17, 2026
CVE-2026-54387
9.1 CRITICAL

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length …

Jun 17, 2026
CVE-2026-48814
9.1 CRITICAL

Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty …

Jun 17, 2026
CVE-2026-55196
9.1 CRITICAL

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is …

Jun 17, 2026
CVE-2026-53805
9.8 CRITICAL

NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize …

Jun 17, 2026
CVE-2026-20266
9.1 CRITICAL

In Splunk AI Toolkit versions below 5.7.4, a user who holds the "admin" Splunk role could execute arbitrary OS commands on the host running the …

Jun 17, 2026
CVE-2026-53874
9.8 CRITICAL

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. …

Jun 17, 2026
CVE-2026-53873
9.8 CRITICAL

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code …

Jun 17, 2026
CVE-2026-3490
10.0 CRITICAL

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers …

Jun 17, 2026
CVE-2026-36418
9.1 CRITICAL

JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly …

Jun 17, 2026
CVE-2026-20181
9.1 CRITICAL

A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected …

Jun 17, 2026
CVE-2025-71325
9.8 CRITICAL

picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and …

Jun 17, 2026
CVE-2025-71323
9.8 CRITICAL

picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers …

Jun 17, 2026
CVE-2025-71321
9.8 CRITICAL

picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle …

Jun 17, 2026
CVE-2025-71320
9.8 CRITICAL

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft …

Jun 17, 2026
CVE-2026-55743
9.6 CRITICAL

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS …

Jun 17, 2026
CVE-2026-54812
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Motors allows Blind SQL Injection. This issue affects Motors: from …

Jun 17, 2026
CVE-2026-47103
9.8 CRITICAL

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing …

Jun 17, 2026
CVE-2026-54819
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: …

Jun 17, 2026
CVE-2026-54815
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. …

Jun 17, 2026
CVE-2026-54809
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from …

Jun 17, 2026
CVE-2026-54808
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This …

Jun 17, 2026
CVE-2026-49108
9.8 CRITICAL

Unauthenticated PHP Object Injection in Moderno < 1.43 versions.

Jun 17, 2026
CVE-2025-69127
9.8 CRITICAL

Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.

Jun 17, 2026
CVE-2025-69111
9.8 CRITICAL

Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.

Jun 17, 2026
CVE-2025-60236
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5.

Jun 17, 2026
CVE-2025-60231
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.

Jun 17, 2026
CVE-2025-60230
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9.

Jun 17, 2026
CVE-2025-60229
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0.

Jun 17, 2026
CVE-2025-59554
9.3 CRITICAL

Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions.

Jun 17, 2026
CVE-2026-54811
9.3 CRITICAL

Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.

Jun 17, 2026
CVE-2026-54807
9.8 CRITICAL

Unauthenticated Privilege Escalation in Registration Form for WooCommerce <= 1.0.9 versions.

Jun 17, 2026
CVE-2026-54806
9.8 CRITICAL

Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.

Jun 17, 2026
CVE-2026-54803
9.8 CRITICAL

Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.

Jun 17, 2026
CVE-2026-54194
9.8 CRITICAL

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.

Jun 17, 2026
CVE-2026-54187
9.3 CRITICAL

Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.

Jun 17, 2026
CVE-2026-54186
9.3 CRITICAL

Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.

Jun 17, 2026
CVE-2026-52706
9.8 CRITICAL

Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.

Jun 17, 2026
CVE-2026-52705
9.0 CRITICAL

Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.

Jun 17, 2026
CVE-2026-50203
9.1 CRITICAL

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination …

Jun 17, 2026
CVE-2026-49767
9.8 CRITICAL

Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.

Jun 17, 2026
CVE-2026-49107
9.8 CRITICAL

Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.

Jun 17, 2026
CVE-2026-49084
9.3 CRITICAL

Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.

Jun 17, 2026
CVE-2026-49080
9.3 CRITICAL

Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.

Jun 17, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.