CVE & Exploit Intelligence Database

Updated 2h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

337,847 CVEs tracked 53,242 with exploits 4,725 exploited in wild 1,540 CISA KEV 3,918 Nuclei templates 37,802 vendors 42,493 researchers
57 results Clear all
CVE-2026-3914
Google Chrome <146.0.7680.71 - Memory Corruption
Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE-472 Mar 11, 2026
CVE-2026-3538 8.8 HIGH EPSS 0.00
Google Chrome <145.0.7632.159 - Memory Corruption
Integer overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
CWE-191 Mar 04, 2026
CVE-2026-3536 8.8 HIGH EPSS 0.00
Google Chrome <145.0.7632.159 - Memory Corruption
Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
CWE-472 Mar 04, 2026
CVE-2026-2649 8.8 HIGH EPSS 0.00
Google Chrome <145.0.7632.109 - Memory Corruption
Integer overflow in V8 in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE-472 Feb 18, 2026
CVE-2025-14750 EPSS 0.00
Web App - Privilege Escalation
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.
CWE-472 Jan 22, 2026
CVE-2025-67846 4.9 MEDIUM EPSS 0.00
Mintlify Platform <2025-11-15 - Auth Bypass
The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.
CWE-472 Dec 19, 2025
CVE-2025-66385 1 Writeup EPSS 0.00
Cerebrate <1.30 - Privilege Escalation
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.
CWE-472 Nov 28, 2025
CVE-2025-10892 8.8 HIGH EPSS 0.00
Google Chrome < 140.0.7339.207 - Integer Overflow
Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE-190 Sep 24, 2025
CVE-2025-10891 8.8 HIGH EPSS 0.00
Google Chrome <140.0.7339.207 - Heap Corruption
Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE-472 Sep 24, 2025
CVE-2025-54551 4.3 MEDIUM EPSS 0.00
Synapse Mobility <8.2 - Privilege Escalation
Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the parameters of the search function.
CWE-472 Aug 20, 2025
CVE-2025-54832 4.3 MEDIUM EPSS 0.00
OPEXUS FOIAXpress PAL <v11.1.0 - Privilege Escalation
OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories.
CWE-472 Jul 31, 2025
CVE-2025-8198 7.5 HIGH EPSS 0.00
MinimogWP - Price Manipulation
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed.
CWE-472 Jul 26, 2025
CVE-2025-7656 8.8 HIGH EPSS 0.00
Google Chrome <138.0.7204.157 - Heap Corruption
Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE-472 Jul 15, 2025
CVE-2025-43933 9.8 CRITICAL 1 Writeup EPSS 0.00
fblog <983bede - Info Disclosure
fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
CWE-472 Jul 07, 2025
CVE-2025-43930 9.8 CRITICAL 1 Writeup EPSS 0.00
Hashview 0.8.1 - Info Disclosure
Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
CWE-472 Jul 07, 2025
CVE-2025-6191 8.8 HIGH EPSS 0.00
Google Chrome < 137.0.7151.119 - Integer Overflow
Integer overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CWE-190 Jun 18, 2025
CVE-2025-43002 4.3 MEDIUM EPSS 0.00
SAP S4CORE - Info Disclosure
SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.
CWE-472 May 13, 2025
CVE-2025-47817 8.8 HIGH 1 Writeup EPSS 0.00
BlueWave Checkmate <2.0.2 - Privilege Escalation
In BlueWave Checkmate through 2.0.2 before b387eba, a profile edit request can include a role parameter.
CWE-472 May 10, 2025
CVE-2025-35939 5.3 MEDIUM KEV EPSS 0.30
Craft CMS - RCE
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
CWE-472 May 07, 2025
CVE-2025-47245 8.1 HIGH 1 Writeup EPSS 0.00
BlueWave Checkmate <2.0.2 - Privilege Escalation
In BlueWave Checkmate through 2.0.2 before d4a6072, an invite request can be modified to specify a privileged role.
CWE-472 May 04, 2025

Investigate

Critical + Public Exploits Exploited in Wild + PoC High EPSS (>=0.7) + PoC With Nuclei Templates Latest Public Exploits

Ecosystems

Linux Maven Packagist PyPI npm Go ecosystem RubyGems crates.io NuGet Hex SwiftURL GitHub Actions

Reference Indexes

Exploit Database Researchers Vendors CWE Categories

Recent Blog Posts

CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
Mar 09, 2026
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
Mar 08, 2026
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
Mar 04, 2026
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
Mar 04, 2026
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
Mar 03, 2026
CVE-2025-15467: From OpenSSL Stack Overflow to Three ROP Chains in 64 Minutes - Introducing Stackforge
Mar 03, 2026
 View all posts →

CVEForge Labs

CVE-2016-15057 CRITICAL
Apache Continuum - Command Injection
CVE-2021-32824 CRITICAL
Apache Dubbo <2.6.10-2.7.10 - RCE
CVE-2023-42117 CRITICAL
Exim < 4.96.2 - Remote Code Execution
CVE-2024-31866 CRITICAL
Apache Zeppelin <0.11.1 - RCE
CVE-2024-37288 CRITICAL
Elastic Kibana - Insecure Deserialization
CVE-2024-43115 HIGH
Apache DolphinScheduler <3.2.2 - RCE
CVE-2024-45409 CRITICAL
Ruby-SAML <=1.16.0 - Auth Bypass
CVE-2024-56143 HIGH
Strapi < 5.5.2 - IDOR
CVE-2025-10622 HIGH
Red Hat Satellite - Command Injection
CVE-2025-11539 CRITICAL
Grafana Image Renderer - RCE
 View all labs →

KEV Gaps

CVE-2026-1603
Ivanti Endpoint Manager < 2024 - Authentication Bypass
 CVE-2023-43000
macOS Ventura <13.5-iPadOS <16.6-Safari <16.6 - Use After Free
 CVE-2021-30952
tvOS <15.2 - RCE
 CVE-2021-22681
Rockwell Automation Studio 5000 <21 - Path Traversal
 CVE-2026-22719
VMware Aria Operations - Command Injection
 CVE-2026-25108
FileZen - Command Injection
 CVE-2026-22769
Dell RecoverPoint <6.0.3.1 HF1 - Auth Bypass
 CVE-2021-22175
Gitlab < 13.6.7 - SSRF
 CVE-2024-7694
Teamt5 Threatsonar Anti-ransomware < 3.5.0 - Unrestricted File Upload
 CVE-2020-7796
Zimbra Collaboration Suite <8.8.15 Patch 7 - SSRF
 CVE-2026-21525
Microsoft Windows 10 1607 < 10.0.14393.8868 - NULL Pointer Dereference
 CVE-2026-21519
Microsoft Windows 10 1607 < 10.0.14393.8868 - Type Confusion