Vulnerability Database
Real-time vulnerability intelligence from the European Union Vulnerability Database (EUVD).
Real-time access to the European Union Vulnerability Database (EUVD), maintained by ENISA. Search and monitor CVEs (Common Vulnerabilities and Exposures), exploited vulnerabilities, and critical security flaws affecting software products worldwide.
- Latest: Most recently disclosed vulnerabilities across all software vendors and products.
- Exploited: Vulnerabilities confirmed to be actively exploited in the wild — prioritize patching these immediately.
- Critical: CRITICAL severity vulnerabilities (CVSS 9.0+) requiring urgent attention from security teams.
- Search: Search by product name, vendor, CVSS score range, or exploitation status to find vulnerabilities affecting your environment.
Each vulnerability includes CVSS scoring, EPSS exploitation probability, affected vendors and products, references to advisories, and CVE aliases. Click any vulnerability to expand full details and references.
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages
Open WebUI vulnerable to Stored XSS via iFrame in citations model
Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions
Open WebUI allows limited stored XSS vila uploaded html file
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.
AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. It's recommended to upgrade to RES version 2026.06.
MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.