CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-29518
7.0 HIGH

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended …

May 20, 2026
CVE-2025-11954
8.0 HIGH

Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: …

May 20, 2026
CVE-2026-22315
7.2 HIGH

Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the …

May 20, 2026
CVE-2026-0856
7.8 HIGH

Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This …

May 20, 2026
CVE-2026-9064
7.5 HIGH

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per …

May 20, 2026
CVE-2026-44933
7.8 HIGH

`PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If …

May 20, 2026
CVE-2026-42959
7.5 HIGH

NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash …

May 20, 2026
CVE-2026-42944
7.5 HIGH

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie …

May 20, 2026
CVE-2026-41292
7.5 HIGH

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS …

May 20, 2026
CVE-2026-41054
7.8 HIGH

In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`). However, while it detects if the connecting user is not …

May 20, 2026
CVE-2026-40622
7.5 HIGH

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the …

May 20, 2026
CVE-2026-5200
8.8 HIGH

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, …

May 20, 2026
CVE-2026-47784
8.1 HIGH

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.

May 20, 2026
CVE-2026-47783
8.1 HIGH

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid …

May 20, 2026
CVE-2026-9057
8.2 HIGH

A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio …

May 20, 2026
CVE-2026-7522
8.8 HIGH

The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' …

May 20, 2026
CVE-2026-9010
7.5 HIGH

The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due …

May 20, 2026
CVE-2026-9003
7.5 HIGH

E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

May 20, 2026
CVE-2026-24214
8.0 HIGH

NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an integer overflow. A successful exploit of this vulnerability …

May 20, 2026
CVE-2026-24213
8.0 HIGH

NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an out-of-bounds read. A successful exploit of this vulnerability …

May 20, 2026
CVE-2026-24210
7.5 HIGH

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to denial …

May 20, 2026
CVE-2026-24209
7.5 HIGH

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to …

May 20, 2026
CVE-2026-24206
7.3 HIGH

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation …

May 20, 2026
CVE-2026-24163
7.5 HIGH

NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability …

May 20, 2026
CVE-2025-33255
7.5 HIGH

NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability …

May 20, 2026
CVE-2026-7467
8.8 HIGH

The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to …

May 20, 2026
CVE-2026-6456
8.8 HIGH

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` …

May 20, 2026
CVE-2026-43618
8.1 HIGH

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing …

May 20, 2026
CVE-2026-3985
7.5 HIGH

The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions …

May 20, 2026
CVE-2026-34358
8.1 HIGH

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks …

May 19, 2026
CVE-2026-34241
8.7 HIGH

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. …

May 19, 2026
CVE-2026-39250
7.3 HIGH

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.

May 19, 2026
CVE-2026-32882
7.1 HIGH

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When …

May 19, 2026
CVE-2026-32741
7.1 HIGH

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a …

May 19, 2026
CVE-2026-32740
8.8 HIGH

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, …

May 19, 2026
CVE-2026-27173
8.7 HIGH

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could …

May 19, 2026
CVE-2026-8073
7.5 HIGH

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation …

May 19, 2026
CVE-2026-8604
8.8 HIGH

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user …

May 19, 2026
CVE-2026-47107
8.1 HIGH

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users …

May 19, 2026
CVE-2026-33633
7.5 HIGH

Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write …

May 19, 2026
CVE-2025-61081
7.5 HIGH

In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the …

May 19, 2026
CVE-2026-47358
7.5 HIGH

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When …

May 19, 2026
CVE-2026-47357
7.5 HIGH

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running …

May 19, 2026
CVE-2026-47356
7.5 HIGH

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in …

May 19, 2026
CVE-2026-36828
8.8 HIGH

A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute …

May 19, 2026
CVE-2026-5804
8.4 HIGH

An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external …

May 19, 2026
CVE-2026-31069
8.8 HIGH

BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is …

May 19, 2026
CVE-2026-8711
8.1 HIGH

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a …

May 19, 2026
CVE-2026-47100
7.5 HIGH

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal …

May 19, 2026
CVE-2026-43634
7.5 HIGH

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP …

May 19, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.