CVE.report
CVE.report is the most up-to-date database of common vulnerabilities and exposures. Information is pulled in from several sources and processed in to a mobile friendly, easy to use page. Use the site to quickly check for vulnerabilities in products such as operating systems, applications, hardware, networks, databases, browsers, e-mail clients and more.
CVEs provide a unique and common naming scheme for publicly known cyber security vulnerabilities in order to quickly identify and share these vulnerabilities. You can use the search below to look for vulnerabilities based on product, vendor, or common tags
The form you will see after following this link allows you to fill out the various variables in the CVSS scoring system and receive the corresponding score. The description of each of the variables is also included for additional information.
cve.report now provides a free read-only JSON API for CVE details. Each record combines the CVE Program JSON record, NVD enrichment, KEV, and EPSS when available.
Recent CVEs
| CVE | Description | Updated |
|---|---|---|
| CVE-2026-40478 json | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40477 json | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40476 json | graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40474 json | wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permissi... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40353 json | wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in Abstract... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40352 json | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL ... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40351 json | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript ty... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40321 json | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versio... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40306 json | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new install... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40305 json | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in ver... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40304 json | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (contro... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40258 json | The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a p... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-29013 json | libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/o... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-5720 json | miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a de... | Fri, 17 Apr 2026 18:19:58 |
| CVE-2026-40103 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for cu... | Fri, 17 Apr 2026 18:04:35 |
| CVE-2026-35602 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the att... | Fri, 17 Apr 2026 18:04:35 |
| CVE-2026-35601 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar ... | Fri, 17 Apr 2026 18:04:35 |
| CVE-2026-33618 json | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() me... | Fri, 17 Apr 2026 18:04:35 |
| CVE-2025-66447 json | Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the u... | Fri, 17 Apr 2026 18:04:35 |
| CVE-2026-40228 json | In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" ... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-35600 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdo... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-35599 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an ... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-35598 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-35597 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is ... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-35596 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL ... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-35595 json | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_per... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-22560 json | An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by mani... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2025-54236 json | Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Impr... | Fri, 17 Apr 2026 18:04:34 |
| CVE-2026-33141 json | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-32932 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session c... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-32931 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in th... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-32930 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vuln... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-32894 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vuln... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-32893 json | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-32892 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vu... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-31941 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forg... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-31940 json | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled reque... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-31939 json | Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php lead... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2025-15602 json | Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently prot... | Fri, 17 Apr 2026 17:34:31 |
| CVE-2026-28518 json | OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import h... | Fri, 17 Apr 2026 17:34:30 |
| CVE-2026-40527 json | radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF b... | Fri, 17 Apr 2026 17:19:32 |
| CVE-2026-40303 json | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie p... | Fri, 17 Apr 2026 17:19:32 |
| CVE-2026-40302 json | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine ... | Fri, 17 Apr 2026 17:19:32 |
| CVE-2026-40301 json | DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> ele... | Fri, 17 Apr 2026 17:19:32 |
| CVE-2026-40299 json | next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40293 json | OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configu... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40286 json | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerab... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40285 json | WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/mem... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40284 json | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerab... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40282 json | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerab... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40196 json | HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-40155 json | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-35603 json | Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default con... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-35512 json | xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic vi... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-35402 json | mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-33894 json | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-33689 json | xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-33549 json | SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the edit... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-33436 json | Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-33145 json | xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands o... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-33060 json | CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-32766 json | astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extens... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-23500 json | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions pr... | Fri, 17 Apr 2026 17:19:31 |
| CVE-2026-1776 json | Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 up... | Fri, 17 Apr 2026 17:04:24 |
| CVE-2026-0846 json | A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due... | Fri, 17 Apr 2026 17:04:24 |
| CVE-2025-65734 json | An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and f... | Fri, 17 Apr 2026 17:04:24 |
| CVE-2026-40312 json | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an... | Fri, 17 Apr 2026 16:49:15 |
| CVE-2026-40183 json | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, th... | Fri, 17 Apr 2026 16:49:15 |
| CVE-2026-40169 json | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a ... | Fri, 17 Apr 2026 16:49:15 |
| CVE-2026-39880 json | Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID d... | Fri, 17 Apr 2026 16:49:15 |
| CVE-2026-33273 json | Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is ex... | Fri, 17 Apr 2026 16:49:15 |
| CVE-2026-27787 json | Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary s... | Fri, 17 Apr 2026 16:49:15 |
| CVE-2026-35526 json | Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription hand... | Fri, 17 Apr 2026 16:49:14 |
| CVE-2026-35523 json | Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentica... | Fri, 17 Apr 2026 16:49:14 |
| CVE-2026-35515 json | Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpol... | Fri, 17 Apr 2026 16:49:14 |
| CVE-2026-33810 json | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildca... | Fri, 17 Apr 2026 16:49:14 |
| CVE-2026-24913 json | SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information store... | Fri, 17 Apr 2026 16:49:14 |
| CVE-2026-34582 json | Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to b... | Fri, 17 Apr 2026 16:33:58 |
| CVE-2026-34580 json | Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it w... | Fri, 17 Apr 2026 16:33:58 |
| CVE-2026-34079 json | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated... | Fri, 17 Apr 2026 16:33:58 |
| CVE-2026-24661 json | Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows a... | Fri, 17 Apr 2026 16:33:58 |
| CVE-2026-21388 json | Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows a... | Fri, 17 Apr 2026 16:33:58 |
| CVE-2026-40461 json | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), al... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-40434 json | Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacke... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-40342 json | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external ... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-40283 json | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerab... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-40066 json | Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes ... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-35682 json | Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command ... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-35546 json | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, en... | Fri, 17 Apr 2026 16:18:37 |
| CVE-2026-39853 json | osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerab... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-39843 json | Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is in... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-35215 json | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc(... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-35061 json | Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, rev... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-35040 json | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the ... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-34232 json | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_statu... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-33569 json | Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and sessi... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-33516 json | xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capabil... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-33093 json | Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camer... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-32650 json | Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing databa... | Fri, 17 Apr 2026 16:18:36 |
| CVE-2026-32648 json | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY... | Fri, 17 Apr 2026 16:18:36 |