Why vulnerability monitoring is critical for your business
In 2025, 48,185 new vulnerabilities (CVEs) were published — a 20% increase compared to 2024. In 2026, the trend is accelerating further. Every day, more than 130 flaws are made public, some of which affect the software your business uses daily.
According to the Verizon Data Breach Investigations Report, 60% of data breaches exploit vulnerabilities for which a patch already existed at the time of the attack. The problem is not the absence of patches — it is the absence of monitoring. No IT team can manually track 130 CVEs per day.
Avec CVE Find, explorez la plus grande base de données de vulnérabilités au monde.
Le CVE (Common Vulnerabilities and Exposures) est une liste de failles de sécurité informatique divulguées publiquement. Le programme CVE a pour objectif de faciliter le partage des données entre les différentes capacités de détection des vulnérabilités, qu'il s'agisse d'outils, de bases de données ou de services. Il fournit également une norme pour évaluer la couverture de ces outils et services.
Accédez à CVE Find
What CVE Find does for you
How can I be alerted in real time?
CVE Find notifies you by email and SMS as soon as a vulnerability affects your products. Configurable frequency: from instant alerts to monthly summaries.
Are my software products vulnerable?
Configure your products (CMS, servers, libraries) via the CPE catalogue. CVE Find continuously monitors the MITRE database and alerts you automatically. 338,000+ CVEs indexed.
How do I prioritise patches?
CVSS scoring (severity) and EPSS (probability of real-world exploitation) show you what to fix first. No more false positives.
Which vulnerabilities are being actively exploited?
The integrated CISA KEV catalogue identifies vulnerabilities already exploited in the wild. These are the flaws to fix with absolute top priority.
Is the platform available in English?
Yes. CVE Find is available in French, English and German. Developed in Switzerland by Bexxo, it is the only comprehensive French-language CVE platform.
Is the data reliable and up to date?
Real-time synchronisation with MITRE, NVD, CISA and FIRST.org. More than 48,000 CVEs added in 2025, and the database is enriched every hour.
Stay ahead with the latest critical security vulnerabilities.
CVE-2026-5200 - HIGH
20/05/2026
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify pr...
authorisationproblemOWSAP: A01
CVE-2026-9057 - HIGH
20/05/2026
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.
CVE-2026-7522 - HIGH
20/05/2026
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to byp...
OWSAP: A03
CVE-2026-7637 - CRITICAL
20/05/2026
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or them...
OWSAP: A08
CVE-2026-24207 - CRITICAL
20/05/2026
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.
OWSAP: A07
CVE-2026-7467 - HIGH
20/05/2026
The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the 'RadMoreAjax::importData' function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner throu...
priviliegemanagementOWSAP: A04
CVE-2026-7284 - CRITICAL
20/05/2026
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during regis...
priviliegemanagementOWSAP: A04
CVE-2026-6555 - CRITICAL
20/05/2026
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory. This makes it possible for unauthenticated attackers to upload ...
fileinclusionOWSAP: A04
CVE-2026-6456 - HIGH
20/05/2026
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their ...
authorisationproblemOWSAP: A07
CVE-2026-34241 - HIGH
19/05/2026
CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifi...
crosssitescriptingOWSAP: A03
CVE-2026-34234 - CRITICAL
19/05/2026
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass u...
oscommandinjectionOWSAP: A03OWSAP: A01
CVE-2026-32740 - HIGH
19/05/2026
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal imag...
overflow
CVE-2026-27173 - HIGH
19/05/2026
JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks.
OWSAP: A01
CVE-2026-33642 - CRITICAL
19/05/2026
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SS...
overflow
CVE-2026-8370 - HIGH
19/05/2026
Execution with unnecessary privileges vulnerability in Broadcom Automic Automation Agent Unix on Linux x64, Linux Power 64 BE, Linux Power 64 LE, zLinux (zSeries), AIX, Solaris x64, Solaris Sparc 64 allows Privilege Escalation, Target Programs with Elevated Privileges. This issue affects Automic Automation: < 24.4.4 HF1.
priviliegemanagement
CVE-2026-47107 - CRITICAL
19/05/2026
Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries ac...
OWSAP: A01
CVE-2026-36829 - CRITICAL
19/05/2026
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
directorytraversalauthorisationproblemOWSAP: A01OWSAP: A07
CVE-2026-36828 - HIGH
19/05/2026
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.
oscommandinjectionOWSAP: A03
CVE-2026-8602 - HIGH
19/05/2026
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
authorisationproblemOWSAP: A07
CVE-2026-5804 - HIGH
19/05/2026
An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks an...
