CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-6169
7.2 HIGH

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin …

May 27, 2026
CVE-2026-40819
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40818
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40817
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40816
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in …

May 27, 2026
CVE-2026-40815
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40814
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in …

May 27, 2026
CVE-2026-40813
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in …

May 27, 2026
CVE-2026-40812
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in …

May 27, 2026
CVE-2026-40811
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT …

May 27, 2026
CVE-2026-40810
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-3375
7.2 HIGH

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, …

May 27, 2026
CVE-2025-41670
7.8 HIGH

A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located …

May 27, 2026
CVE-2025-41669
8.8 HIGH

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any …

May 27, 2026
CVE-2026-9200
7.5 HIGH

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This …

May 27, 2026
CVE-2026-8994
8.1 HIGH

The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered …

May 27, 2026
CVE-2026-8787
8.8 HIGH

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due …

May 27, 2026
CVE-2026-6268
7.1 HIGH

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the …

May 27, 2026
CVE-2026-49000
7.0 HIGH

An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to …

May 27, 2026
CVE-2026-48962
7.3 HIGH

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in …

May 27, 2026
CVE-2026-48961
7.3 HIGH

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte …

May 27, 2026
CVE-2026-48959
7.5 HIGH

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, …

May 27, 2026
CVE-2026-2253
7.7 HIGH

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external …

May 27, 2026
CVE-2026-9632
8.8 HIGH

A flaw has been found in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this issue is the function strcpy of the file /goform/formGroupConfig of …

May 27, 2026
CVE-2026-9631
8.8 HIGH

A vulnerability was detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this vulnerability is the function strcpy of the file /goform/formConfigFastDirectionW of the …

May 27, 2026
CVE-2026-9628
8.8 HIGH

A weakness has been identified in UTT HiPER 1200GW up to 2.5.3-170306. Affected is an unknown function of the file /goform/formPptpClientConfig of the component Web …

May 27, 2026
CVE-2026-9627
8.8 HIGH

A security flaw has been discovered in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/setSysAdm of the component …

May 27, 2026
CVE-2026-9207
8.8 HIGH

Tanium addressed an unauthorized code execution vulnerability in Connect.

May 27, 2026
CVE-2026-49014
7.4 HIGH

In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a …

May 27, 2026
CVE-2026-9606
7.3 HIGH

A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument …

May 27, 2026
CVE-2026-9605
7.3 HIGH

A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp …

May 27, 2026
CVE-2026-9584
7.3 HIGH

A security vulnerability has been detected in code-projects Project Management System 1.0. Affected is an unknown function of the file chk.php of the component Login. …

May 26, 2026
CVE-2026-5260
8.2 HIGH

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using …

May 26, 2026
CVE-2026-45574
8.1 HIGH

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the …

May 26, 2026
CVE-2026-45298
8.6 HIGH

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook …

May 26, 2026
CVE-2026-44983
7.3 HIGH

smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can …

May 26, 2026
CVE-2026-44966
8.3 HIGH

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue …

May 26, 2026
CVE-2026-44905
7.5 HIGH

Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline …

May 26, 2026
CVE-2026-44900
8.1 HIGH

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line …

May 26, 2026
CVE-2026-43988
7.5 HIGH

Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline …

May 26, 2026
CVE-2026-42013
8.2 HIGH

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to …

May 26, 2026
CVE-2026-42012
7.1 HIGH

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) …

May 26, 2026
CVE-2025-46284
7.0 HIGH

A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26. An app may be able to …

May 26, 2026
CVE-2025-43306
7.8 HIGH

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app …

May 26, 2026
CVE-2026-9580
7.3 HIGH

A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access …

May 26, 2026
CVE-2026-8676
8.8 HIGH

An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a …

May 26, 2026
CVE-2026-45575
7.4 HIGH

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection …

May 26, 2026
CVE-2026-44847
7.5 HIGH

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns …

May 26, 2026
CVE-2026-44843
8.2 HIGH

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, …

May 26, 2026
CVE-2026-44209
7.5 HIGH

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that …

May 26, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.