CVE & Exploit Intelligence Database

Updated 2h ago

Search and track vulnerabilities with real-time exploit intelligence. Cross-reference CVEs against public exploits from ExploitDB, Metasploit, GitHub, and Nuclei — with CVSS and EPSS scoring, CISA KEV monitoring, and AI-powered exploit analysis.

337,847 CVEs tracked 53,242 with exploits 4,725 exploited in wild 1,540 CISA KEV 3,918 Nuclei templates 37,802 vendors 42,493 researchers

1,290 results Clear all

CVE-2026-3783 5.3 MEDIUM EPSS 0.00

curl - OAuth Token Leak

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

CWE-522 Mar 11, 2026

CVE-2026-28678 8.1 HIGH 1 Writeup EPSS 0.00

DSA Study Hub - Info Disclosure

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba.

CWE-522 Mar 07, 2026

CVE-2026-27777 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Mar 06, 2026

CVE-2026-27027 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Mar 06, 2026

CVE-2026-28714 4.8 MEDIUM EPSS 0.00

Acronis Cyber Protect 17 - Info Disclosure

Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.

CWE-522 Mar 06, 2026

CVE-2026-27770 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Mar 06, 2026

CVE-2026-29128 10.0 CRITICAL EPSS 0.00

IDC SFX2100 Firmware - Info Disclosure

IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are owned by root but world-readable. The configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) contain hardcoded or otherwise insecure plaintext passwords (including “enable”/privileged-mode credentials). A remote actor is able to abuse the reuse/hardcoded nature of these credentials to further access other systems in the network, gain a foothold on the satellite receiver or potentially locally privilege escalate.

CWE-798 Mar 05, 2026

CVE-2026-0689 EPSS 0.00

ExtremeCloud IQ Site Engine <26.2.10 - Info Disclosure

In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.

CWE-522 Mar 02, 2026

CVE-2026-20435 4.6 MEDIUM EPSS 0.00

Preloader - Info Disclosure

In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.

CWE-522 Mar 02, 2026

CVE-2026-27167 NONE EPSS 0.00

Gradio 4.16.0-6.6.0 - Auth Bypass

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.

CWE-798 Feb 27, 2026

CVE-2026-21660 9.8 CRITICAL EPSS 0.00

Frick Controls Quantum HD <10.22 - Info Disclosure

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.

CWE-256 Feb 27, 2026

CVE-2026-25774 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Feb 27, 2026

CVE-2026-22878 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Feb 27, 2026

CVE-2026-27773 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Feb 27, 2026

CVE-2026-22890 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Feb 27, 2026

CVE-2026-20791 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Feb 27, 2026

CVE-2026-20733 6.5 MEDIUM 1 Writeup EPSS 0.00

Charging Station - Info Disclosure

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CWE-522 Feb 27, 2026

CVE-2025-67860 3.8 LOW EPSS 0.00

NeuVector Scanner - Info Disclosure

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.

CWE-522 Feb 25, 2026

CVE-2026-26049 5.7 MEDIUM 1 Writeup EPSS 0.00

Device Web Interface - Info Disclosure

The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form caching.

CWE-522 Feb 20, 2026

CVE-2026-27003 5.5 MEDIUM 1 Writeup EPSS 0.00

OpenClaw <2026.2.15 - Info Disclosure

OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.

CWE-522 Feb 20, 2026