Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2026/06/15 12:0 a.m.11 views

VulnCheck KEV: CVE-2026-25089

A improper neutralization of special elements used in an os command 'os command injection' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may...

9.8CVSS6.1AI score0.23393EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/12 12:0 a.m.13 views

VulnCheck KEV: CVE-2020-6286

The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA LM Configuration Wizard, versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal...

5.3CVSS6.2AI score0.28312EPSS
Exploits3References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/12 12:0 a.m.18 views

VulnCheck KEV: CVE-2026-48907

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution...

10CVSS5.3AI score0.80425EPSS
Exploits18References7
VulnCheck KEV
VulnCheck KEV
added 2026/06/12 12:0 a.m.47 views

VulnCheck KEV: CVE-2026-25939

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on...

9.3CVSS5.4AI score0.12047EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/11 12:0 a.m.14 views

VulnCheck KEV: CVE-2026-42653

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6...

7.1CVSS5.2AI score0.00142EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/11 12:0 a.m.15 views

VulnCheck KEV: CVE-2026-39494

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2...

9.3CVSS5.5AI score0.0039EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/11 12:0 a.m.19 views

VulnCheck KEV: CVE-2026-35273

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft component: Updates Environment Management. Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise...

9.8CVSS5.8AI score0.9233EPSS
Exploits3References8
VulnCheck KEV
VulnCheck KEV
added 2026/06/10 12:0 a.m.13 views

VulnCheck KEV: CVE-2026-10795

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

8.1CVSS6AI score0.03578EPSS
Exploits3References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/10 12:0 a.m.10 views

VulnCheck KEV: CVE-2026-3018

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS5.8AI score0.01382EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/10 12:0 a.m.15 views

VulnCheck KEV: CVE-2026-10520

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution...

10CVSS6.6AI score0.99041EPSS
Exploits6References23
VulnCheck KEV
VulnCheck KEV
added 2026/06/09 12:0 a.m.51 views

VulnCheck KEV: CVE-2026-34910

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection...

10CVSS5.6AI score0.78555EPSS
Exploits2References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/09 12:0 a.m.6 views

VulnCheck KEV: CVE-2026-34909

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account...

10CVSS5.8AI score0.02269EPSS
Exploits2References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/09 12:0 a.m.14 views

VulnCheck KEV: CVE-2026-39808

A improper neutralization of special elements used in an os command 'os command injection' vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via...

9.8CVSS6.2AI score0.48668EPSS
Exploits6References9
VulnCheck KEV
VulnCheck KEV
added 2026/06/09 12:0 a.m.42 views

VulnCheck KEV: CVE-2026-34908

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system...

10CVSS5.4AI score0.78555EPSS
Exploits3References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.32 views

VulnCheck KEV: CVE-2026-50751

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password...

9.3CVSS5.9AI score0.70099EPSS
Exploits5References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.14 views

VulnCheck KEV: CVE-2026-49060

Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4...

9.8CVSS5.4AI score0.00514EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.36 views

VulnCheck KEV: CVE-2026-42271

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

8.8CVSS5.6AI score0.80188EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.18 views

VulnCheck KEV: CVE-2026-11645

Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS6.3AI score0.01654EPSS
Exploits4References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.26 views

VulnCheck KEV: CVE-2026-5027

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences '../'...

8.8CVSS5.6AI score0.02104EPSS
Exploits4References27
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.18 views

VulnCheck KEV: CVE-2026-7482

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and...

9.1CVSS6.8AI score0.01001EPSS
Exploits3References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/05 12:0 a.m.28 views

VulnCheck KEV: CVE-2026-31816

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

9.1CVSS5.6AI score0.15339EPSS
Exploits2References6
VulnCheck KEV
VulnCheck KEV
added 2026/06/05 12:0 a.m.19 views

VulnCheck KEV: CVE-2026-20245

A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplyi...

7.8CVSS6.3AI score0.25323EPSS
Exploits2References5
VulnCheck KEV
VulnCheck KEV
added 2026/06/05 12:0 a.m.18 views

VulnCheck KEV: CVE-2026-49777

Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4...

10CVSS5.4AI score0.01656EPSS
Exploits2References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/05 12:0 a.m.22 views

VulnCheck KEV: CVE-2026-28318

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update...

7.5CVSS5.5AI score0.10659EPSS
Exploits2References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/04 12:0 a.m.10 views

VulnCheck KEV: CVE-2018-25270

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system...

9.8CVSS6.7AI score0.0089EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/04 12:0 a.m.12 views

VulnCheck KEV: CVE-2026-5073

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...

7.5CVSS5.7AI score0.01383EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/03 12:0 a.m.13 views

VulnCheck KEV: CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

9.8CVSS6.2AI score0.40992EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/03 12:0 a.m.16 views

VulnCheck KEV: CVE-2021-27137

DD-WRT router firmware before changeset 45723 contains a stack buffer overflow vulnerability in the UPnP service that allows remote attackers to execute arbitrary code by sending specially crafted M-SEARCH requests with oversized ST:uuid values via UDP port 1900. Attackers can exploit this...

6.4AI score
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/02 12:0 a.m.58 views

VulnCheck KEV: CVE-2026-7465

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server...

8.8CVSS6.1AI score0.01174EPSS
Exploits3References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/02 12:0 a.m.15 views

VulnCheck KEV: CVE-2026-8206

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS5.9AI score0.0126EPSS
Exploits4References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/01 12:0 a.m.19 views

VulnCheck KEV: CVE-2026-42167

modsql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands e.g., COPY TO PROGRAM...

8.1CVSS6.5AI score0.05004EPSS
Exploits6References6
VulnCheck KEV
VulnCheck KEV
added 2026/06/01 12:0 a.m.15 views

VulnCheck KEV: CVE-2024-21182

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic...

7.5CVSS7.2AI score0.49689EPSS
Exploits3References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/01 12:0 a.m.12 views

VulnCheck KEV: CVE-2024-48456

An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a...

7.5CVSS7.3AI score0.17289EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/06/01 12:0 a.m.17 views

VulnCheck KEV: CVE-2022-0492

A vulnerability was found in the Linux kernel’s cgroupreleaseagentwrite in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 releaseagent feature to escalate privileges and bypass the namespace isolation unexpectedly...

7.8CVSS6.9AI score0.05528EPSS
Exploits12References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/01 12:0 a.m.9 views

VulnCheck KEV: CVE-2026-54420

LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...

8.5CVSS5.3AI score0.01261EPSS
Exploits3References5
VulnCheck KEV
VulnCheck KEV
added 2026/06/01 12:0 a.m.13 views

VulnCheck KEV: CVE-2025-48595

In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

8.4CVSS6.5AI score0.01714EPSS
Exploits1References5
VulnCheck KEV
VulnCheck KEV
added 2026/05/31 12:0 a.m.39 views

VulnCheck KEV: CVE-2026-28414

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ change...

7.5CVSS5.9AI score0.03095EPSS
Exploits1References9
VulnCheck KEV
VulnCheck KEV
added 2026/05/29 12:0 a.m.106 views

VulnCheck KEV: CVE-2026-45247

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted...

9.8CVSS6.7AI score0.27546EPSS
Exploits1References3
VulnCheck KEV
VulnCheck KEV
added 2026/05/29 12:0 a.m.93 views

VulnCheck KEV: CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

9.8CVSS5.7AI score0.09461EPSS
Exploits7References3
VulnCheck KEV
VulnCheck KEV
added 2026/05/29 12:0 a.m.136 views

VulnCheck KEV: CVE-2026-0257

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues...

9.1CVSS5.8AI score0.86678EPSS
Exploits9References10
VulnCheck KEV
VulnCheck KEV
added 2026/05/29 12:0 a.m.16 views

VulnCheck KEV: CVE-2025-11262

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS6AI score0.00233EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/29 12:0 a.m.41 views

VulnCheck KEV: CVE-2026-41089

Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network...

9.8CVSS6.3AI score0.72253EPSS
Exploits31References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/27 12:0 a.m.19 views

VulnCheck KEV: CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

9.6CVSS7.5AI score0.02342EPSS
Exploits3References5
VulnCheck KEV
VulnCheck KEV
added 2026/05/27 12:0 a.m.16 views

VulnCheck KEV: CVE-2026-48027

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for 18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the...

9.8CVSS5.8AI score0.0185EPSS
Exploits1References4
VulnCheck KEV
VulnCheck KEV
added 2026/05/25 12:0 a.m.22 views

VulnCheck KEV: CVE-2026-5426

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks...

9.1CVSS6.5AI score0.01008EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/05/22 12:0 a.m.21 views

VulnCheck KEV: CVE-2026-39365

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS5.8AI score0.00914EPSS
Exploits1References10
VulnCheck KEV
VulnCheck KEV
added 2026/05/22 12:0 a.m.16 views

VulnCheck KEV: CVE-2017-7577

XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request...

9.8CVSS5.9AI score0.28746EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/22 12:0 a.m.24 views

VulnCheck KEV: CVE-2026-9082

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0...

9.8CVSS5.8AI score0.84631EPSS
Exploits13References5
VulnCheck KEV
VulnCheck KEV
added 2026/05/21 12:0 a.m.20 views

VulnCheck KEV: CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

6.7CVSS5.9AI score0.12682EPSS
Exploits0References4
VulnCheck KEV
VulnCheck KEV
added 2026/05/21 12:0 a.m.30 views

VulnCheck KEV: CVE-2026-48172

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation possibly to root, as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpaneljsonapifunc=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2/dev/null in Bash. If you get no output,...

10CVSS5.8AI score0.18914EPSS
Exploits1References5
Total number of security vulnerabilities4985