CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-8421
8.8 HIGH

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit …

May 21, 2026
CVE-2026-8417
8.8 HIGH

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before …

May 21, 2026
CVE-2026-8350
8.8 HIGH

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user …

May 21, 2026
CVE-2026-8135
7.2 HIGH

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with …

May 21, 2026
CVE-2026-8134
7.2 HIGH

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue …

May 21, 2026
CVE-2026-47102
8.8 HIGH

LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only …

May 21, 2026
CVE-2026-47101
8.8 HIGH

LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a …

May 21, 2026
CVE-2026-47114
8.8 HIGH

IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the …

May 21, 2026
CVE-2026-46473
7.5 HIGH

Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security …

May 21, 2026
CVE-2026-48242
8.1 HIGH

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code …

May 21, 2026
CVE-2026-48241
8.1 HIGH

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor …

May 21, 2026
CVE-2026-48240
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of …

May 21, 2026
CVE-2026-48239
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT …

May 21, 2026
CVE-2026-48238
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a …

May 21, 2026
CVE-2026-48237
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of …

May 21, 2026
CVE-2026-48236
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli …

May 21, 2026
CVE-2026-48235
8.2 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS …

May 21, 2026
CVE-2026-48234
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY …

May 21, 2026
CVE-2026-48233
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a …

May 21, 2026
CVE-2026-48232
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a …

May 21, 2026
CVE-2026-48231
7.1 HIGH

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers …

May 21, 2026
CVE-2026-9089
8.8 HIGH

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate …

May 21, 2026
CVE-2026-45208
7.8 HIGH

A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must …

May 21, 2026
CVE-2026-45207
7.8 HIGH

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 …

May 21, 2026
CVE-2026-45206
7.8 HIGH

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 …

May 21, 2026
CVE-2026-34930
7.8 HIGH

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 …

May 21, 2026
CVE-2026-34929
7.8 HIGH

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 …

May 21, 2026
CVE-2026-34928
7.8 HIGH

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 …

May 21, 2026
CVE-2026-34927
7.8 HIGH

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must …

May 21, 2026
CVE-2026-2740
8.4 HIGH

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the …

May 21, 2026
CVE-2025-71217
7.8 HIGH

An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected …

May 21, 2026
CVE-2025-71216
7.8 HIGH

A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. …

May 21, 2026
CVE-2025-71215
7.0 HIGH

A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on …

May 21, 2026
CVE-2025-71214
7.8 HIGH

An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected …

May 21, 2026
CVE-2025-71213
7.8 HIGH

An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker …

May 21, 2026
CVE-2025-71212
7.8 HIGH

A link following vulnerability in the Trend Micro Apex One scan engine could allow a local attacker to escalate privileges on affected installations. Please note: …

May 21, 2026
CVE-2025-13479
7.5 HIGH

Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: …

May 21, 2026
CVE-2025-13477
7.1 HIGH

Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects …

May 21, 2026
CVE-2026-45760
8.1 HIGH

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace …

May 21, 2026
CVE-2026-45255
7.5 HIGH

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt …

May 21, 2026
CVE-2026-45253
8.4 HIGH

ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process …

May 21, 2026
CVE-2026-45251
7.8 HIGH

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread …

May 21, 2026
CVE-2026-42001
7.5 HIGH

Insufficient Validation of Autoprimary SOA Queries

May 21, 2026
CVE-2026-39461
8.8 HIGH

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does …

May 21, 2026
CVE-2026-28764
7.8 HIGH

MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability

May 21, 2026
CVE-2026-9157
8.4 HIGH

Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion. This issue affects Web Fax: from …

May 21, 2026
CVE-2026-4858
8.0 HIGH

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an …

May 21, 2026
CVE-2026-45250
7.8 HIGH

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary …

May 21, 2026
CVE-2026-44068
7.6 HIGH

Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended …

May 21, 2026
CVE-2026-44066
7.1 HIGH

Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or …

May 21, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.