CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS 5.3 v3·EPSS 0.3%·No fix yet

    A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Configuration settings should be changed. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2026-06-29

  • CVSS 7.2 v3·EPSS 0.3%·No fix yet

    An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.

    Published 2026-06-23

  • CVSS 2.3 v3·EPSS 0.2%·No fix yet

    IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.

    Published 2026-06-22

  • CVSS 6.9 v4·EPSS 0.4%·No fix yet

    The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.

    Published 2026-06-15

  • CVSS 4.9 v3·EPSS 0.2%·No fix yet

    A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

    Published 2026-06-11

  • CVSS 5.3 v3·EPSS 0.2%·No fix yet

    Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.

    Published 2026-05-21

  • CVSS 8.3 v3·EPSS 0.5%·Fix available

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user — including those using fake Bearer tokens — can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.

    Published 2026-05-09

  • CVSS 5.4 v3·EPSS 0.2%·Fix available

    When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

    Published 2026-04-30

  • CVSS 4.3 v3·EPSS 0.2%·No fix yet

    Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.

    Published 2026-04-16

  • CVSS 8.8 v3·EPSS 26%·Fix available

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.

    Published 2026-04-06

  • CVSS 5.3 v3·EPSS 0.4%·No fix yet

    MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials.

    Published 2026-03-30

  • CVSS 7.1 v3·EPSS 0.3%·No fix yet

    In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.

    Published 2026-03-27

  • CVSS 5.3 v3·EPSS 0.4%·No fix yet

    A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings.

    Published 2026-03-26

  • CVSS 7.7 v3·EPSS 0.3%·No fix yet

    OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available.

    Published 2026-03-26

  • CVSS 5.4 v3·EPSS 0.2%·Fix available

    OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix.

    Published 2026-03-26

  • CVSS 7.1 v3·EPSS 0.3%·Fix available

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

    Published 2026-03-25

  • CVSS 5.3 v3·EPSS 0.5%·No fix yet

    A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the component Database Backup Handler. The manipulation leads to files or directories accessible. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. It is recommended to change the configuration settings.

    Published 2026-03-22

  • CVSS 9.1 v3·EPSS 0.5%·Fix available

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

    Published 2026-03-19

  • CVSS 5.4 v3·EPSS 0.2%·Fix available

    OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.

    Published 2026-03-19

  • CVSS -·EPSS 0.2%·No fix yet

    Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for tcPDU), 1.67 (for LK3.5 - hardware versions: 3.5, 3.6, 3.7 and 3.8), 1.75 (for LK3.9 - hardware version 3.9) and 1.38 (for LK4 - hardware version 4.0).

    Published 2026-03-16

  • CVSS 7.5 v3·EPSS 0.7%·Fix available

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

    Published 2026-03-12

  • CVSS 5.3 v3·EPSS 0.4%·No fix yet

    A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings.

    Published 2026-02-06

  • CVSS 9.4 v3·EPSS 0.4%·No fix yet

    A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries.

    Published 2026-01-23

  • CVSS 7.5 v3·EPSS 0.7%·No fix yet

    ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299.

    Published 2026-01-23

  • CVSS -·EPSS 0.4%·No fix yet

    OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.

    Published 2026-01-07

  • CVSS 3.7 v3·EPSS 0.4%·No fix yet

    A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing a manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. Modifying the configuration settings is advised.

    Published 2025-12-28

  • CVSS 5.0 v3·EPSS 0.4%·Fix available

    The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization.

    Published 2025-12-19

  • CVSS -·EPSS 0.2%·No fix yet

    In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

    Published 2025-12-18

  • CVSS -·EPSS 0.3%·No fix yet

    Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.

    Published 2025-12-17

  • CVSS 3.7 v3·EPSS 0.3%·No fix yet

    A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2025-12-15

  • CVSS 2.7 v3·EPSS 0.2%·No fix yet

    A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints

    Published 2025-12-09

  • CVSS 4.3 v3·EPSS 0.3%·Fix available

    GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions.

    Published 2025-11-26

  • CVSS 5.3 v3·EPSS 0.2%·Fix available

    Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.

    Published 2025-10-27

  • CVSS 3.7 v3·EPSS 0.4%·No fix yet

    A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

    Published 2025-10-05

  • CVSS 5.8 v3·EPSS 0.3%·No fix yet

    Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page.

    Published 2025-09-22

  • CVSS 3.1 v3·EPSS 0.2%·No fix yet

    A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2025-09-12

  • CVSS 5.1 v3·EPSS 0.1%·No fix yet

    AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability. The issue may allow attackers to launch a server-side request forgery (SSRF) attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information.

    Published 2025-08-28

  • CVSS 9.8 v3·EPSS 0.6%·No fix yet

    Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down.

    Published 2025-08-22

  • CVSS 6.5 v3·EPSS 0.2%·No fix yet

    flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

    Published 2025-08-19

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    Direct request ('Forced Browsing') issue exists in iroha Board versions v0.10.12 and earlier. If this vulnerability is exploited, non-public contents may be viewed by an attacker who can log in to the affected product.

    Published 2025-06-26

  • CVSS 4.2 v3·EPSS 0.2%·No fix yet

    In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access a project's issue endpoint and perform unauthorized actions (such as adding a comment) without being a member of the project's team. A seven-digit issue ID must be known (it is not treated as a secret and might be mentioned publicly, or it could be predicted).

    Published 2025-06-24

  • CVSS 6.4 v3·EPSS 0.3%·No fix yet

    Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

    Published 2025-06-23

  • CVSS 5.3 v3·EPSS 0.6%·No fix yet

    A vulnerability classified as problematic has been found in code-projects Automated Voting System 1.0. Affected is an unknown function of the file /vote.php of the component Backend. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    Published 2025-06-20

  • CVSS 8.6 v3·EPSS 0.3%·No fix yet

    The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference.

    Published 2025-05-21

  • CVSS 8.6 v3·EPSS 0.3%·No fix yet

    The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.

    Published 2025-05-21

  • CVSS 5.3 v3·EPSS 0.2%·No fix yet

    The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference.

    Published 2025-05-21

  • CVSS 8.6 v3·EPSS 0.3%·No fix yet

    The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location.

    Published 2025-05-21

  • CVSS 5.0 v3·EPSS 1.1%·Fix available

    Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

    Published 2025-05-02

  • CVSS 5.0 v3·EPSS 0.3%·No fix yet

    Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors via a direct namespaces/default/formats request.

    Published 2025-04-27

  • CVSS 4.3 v3·EPSS 0.3%·No fix yet

    NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 allows users who lack the InET role to access the InET module via direct requests to known endpoints.

    Published 2025-04-24

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.