Vulnerability Database

Real-time vulnerability intelligence from the European Union Vulnerability Database (EUVD).

Real-time access to the European Union Vulnerability Database (EUVD), maintained by ENISA. Search and monitor CVEs (Common Vulnerabilities and Exposures), exploited vulnerabilities, and critical security flaws affecting software products worldwide.

  • Latest: Most recently disclosed vulnerabilities across all software vendors and products.
  • Exploited: Vulnerabilities confirmed to be actively exploited in the wild — prioritize patching these immediately.
  • Critical: CRITICAL severity vulnerabilities (CVSS 9.0+) requiring urgent attention from security teams.
  • Search: Search by product name, vendor, CVSS score range, or exploitation status to find vulnerabilities affecting your environment.

Each vulnerability includes CVSS scoring, EPSS exploitation probability, affected vendors and products, references to advisories, and CVE aliases. Click any vulnerability to expand full details and references.

MEDIUMCVSS 4.3EUVD-2026-22188 ↗2026-07-07
CVE-2026-34225 — Open WebUI
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality

Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality

HIGHCVSS 7.3EUVD-2026-7981 ↗2026-07-07
CVE-2026-26193
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages

Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages

HIGHCVSS 7.3EUVD-2026-7982 ↗2026-07-07
CVE-2026-26192
Open WebUI vulnerable to Stored XSS via iFrame in citations model

Open WebUI vulnerable to Stored XSS via iFrame in citations model

MEDIUMCVSS 5.4EUVD-2025-13498 ↗2026-07-07
CVE-2025-46719
Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions

Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions

MEDIUMCVSS 5.3EUVD-2025-13499 ↗2026-07-07
CVE-2025-46571 — Open WebUI
Open WebUI allows limited stored XSS vila uploaded html file

Open WebUI allows limited stored XSS vila uploaded html file

CRITICALCVSS 9.8EUVD-2026-42058 ↗2026-07-07
CVE-2026-13019 — Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubern...
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

HIGHCVSS 8.1EUVD-2026-42057 ↗2026-07-07
CVE-2026-13020 — Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal...
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.

HIGHCVSS 7.1EUVD-2026-42056 ↗2026-07-07
CVE-2026-14904 — AWS Research and Engineering Studio (RES)
AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. It's recommended to upgrade to RES version 2026.06.

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. It's recommended to upgrade to RES version 2026.06.

HIGHCVSS 8.5EUVD-2026-42053 ↗2026-07-07
CVE-2026-57851 — KernCoreLib64.sys kernel driver that
MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.

MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.

MEDIUMCVSS 6.5EUVD-2025-210439 ↗2026-07-07
CVE-2025-12799 — flaw was found in Jastow. Jastow
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.