CVE Database

36500+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2020-37219
7.5 HIGH

Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET …

May 13, 2026
CVE-2020-37218
8.2 HIGH

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code …

May 13, 2026
CVE-2026-4609
7.1 HIGH

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user …

May 13, 2026
CVE-2026-37430
7.3 HIGH

An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.

May 13, 2026
CVE-2026-6177
7.2 HIGH

The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient …

May 13, 2026
CVE-2026-3425
8.8 HIGH

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' …

May 13, 2026
CVE-2026-35506
7.2 HIGH

ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a …

May 13, 2026
CVE-2026-6276
7.5 HIGH

Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy …

May 13, 2026
CVE-2026-5773
7.5 HIGH

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse …

May 13, 2026
CVE-2026-4798
7.5 HIGH

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due …

May 13, 2026
CVE-2026-25705
8.4 HIGH

A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside …

May 13, 2026
CVE-2026-6929
7.5 HIGH

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' …

May 13, 2026
CVE-2026-44612
7.8 HIGH

Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when …

May 13, 2026
CVE-2026-21020
7.8 HIGH

Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.

May 13, 2026
CVE-2026-7635
8.1 HIGH

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is …

May 13, 2026
CVE-2026-8336
7.5 HIGH

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently …

May 13, 2026
CVE-2026-8053
8.8 HIGH

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod …

May 13, 2026
CVE-2026-6888
7.2 HIGH

Successful exploitation of the SQL injection vulnerability could allow a remote authenticated attacker to execute arbitrary commands via a specific interface, potentially enabling the attacker …

May 13, 2026
CVE-2026-8108
7.8 HIGH

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

May 12, 2026
CVE-2026-5371
7.1 HIGH

The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due …

May 12, 2026
CVE-2026-44548
8.1 HIGH

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a …

May 12, 2026
CVE-2026-43685
7.2 HIGH

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input …

May 12, 2026
CVE-2026-43680
7.2 HIGH

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule …

May 12, 2026
CVE-2026-42289
8.8 HIGH

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF …

May 12, 2026
CVE-2026-1250
7.5 HIGH

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions …

May 12, 2026
CVE-2026-45227
8.8 HIGH

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using …

May 12, 2026
CVE-2026-45226
7.1 HIGH

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without …

May 12, 2026
CVE-2026-45225
7.6 HIGH

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by …

May 12, 2026
CVE-2026-44871
7.2 HIGH

Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of …

May 12, 2026
CVE-2026-44304
8.1 HIGH

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. …

May 12, 2026
CVE-2026-44302
7.5 HIGH

Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed …

May 12, 2026
CVE-2026-44296
7.5 HIGH

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS …

May 12, 2026
CVE-2026-44260
8.1 HIGH

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. …

May 12, 2026
CVE-2026-44241
7.5 HIGH

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter …

May 12, 2026
CVE-2026-44015
8.5 HIGH

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) …

May 12, 2026
CVE-2026-42855
7.5 HIGH

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 …

May 12, 2026
CVE-2026-42544
7.5 HIGH

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket …

May 12, 2026
CVE-2026-42268
7.5 HIGH

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an …

May 12, 2026
CVE-2026-40902
7.5 HIGH

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method …

May 12, 2026
CVE-2026-40863
7.5 HIGH

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) …

May 12, 2026
CVE-2026-26289
8.2 HIGH

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions …

May 12, 2026
CVE-2026-44403
7.2 HIGH

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua …

May 12, 2026
CVE-2026-44246
7.2 HIGH

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is …

May 12, 2026
CVE-2026-44240
7.5 HIGH

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A …

May 12, 2026
CVE-2026-44224
8.8 HIGH

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it …

May 12, 2026
CVE-2025-65088
7.8 HIGH

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to …

May 12, 2026
CVE-2025-65087
7.8 HIGH

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to …

May 12, 2026
CVE-2025-65086
7.8 HIGH

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to …

May 12, 2026
CVE-2026-7474
8.8 HIGH

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) …

May 12, 2026
CVE-2026-44872
7.2 HIGH

A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to …

May 12, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.