Warum die Überwachung von Schwachstellen für Ihr Unternehmen kritisch ist
Im Jahr 2025 wurden 48 185 neue Schwachstellen (CVE) veröffentlicht — ein Anstieg von 20 % gegenüber 2024. Im Jahr 2026 beschleunigt sich der Trend noch weiter. Jeden Tag werden mehr als 130 Sicherheitslücken öffentlich gemacht, von denen einige die Software betreffen, die Ihr Unternehmen täglich nutzt.
Laut dem Verizon Data Breach Investigations Report nutzen 60 % der Datenverletzungen Schwachstellen aus, für die zum Zeitpunkt des Angriffs bereits ein Patch vorhanden war. Das Problem ist nicht das Fehlen von Patches — es ist das Fehlen von Überwachung. Kein IT-Team kann manuell 130 CVE pro Tag verfolgen.
Avec CVE Find, explorez la plus grande base de données de vulnérabilités au monde.
Le CVE (Common Vulnerabilities and Exposures) est une liste de failles de sécurité informatique divulguées publiquement. Le programme CVE a pour objectif de faciliter le partage des données entre les différentes capacités de détection des vulnérabilités, qu'il s'agisse d'outils, de bases de données ou de services. Il fournit également une norme pour évaluer la couverture de ces outils et services.
Accédez à CVE Find
Was CVE Find für Sie tut
Wie werde ich in Echtzeit gewarnt?
CVE Find benachrichtigt Sie per E-Mail und SMS, sobald eine Schwachstelle Ihre Produkte betrifft. Konfigurierbare Frequenz: von der sofortigen Benachrichtigung bis zur monatlichen Zusammenfassung.
Sind meine Softwareprodukte anfällig?
Konfigurieren Sie Ihre Produkte (CMS, Server, Bibliotheken) über den CPE-Katalog. CVE Find überwacht die MITRE-Datenbank kontinuierlich und warnt Sie automatisch. 338 000+ CVE indexiert.
Wie priorisiere ich Patches?
Die CVSS-Bewertung (Schweregrad) und EPSS (Wahrscheinlichkeit einer tatsächlichen Ausnutzung) zeigen Ihnen, was zuerst korrigiert werden muss. Keine falschen Positiven mehr.
Welche Schwachstellen werden aktiv ausgenutzt?
Der integrierte CISA KEV-Katalog identifiziert Schwachstellen, die bereits in der Praxis ausgenutzt werden. Dies sind die Lücken, die mit absoluter Priorität zu schliessen sind.
Ist die Plattform auf Deutsch verfügbar?
Ja. CVE Find ist in Französisch, Englisch und Deutsch verfügbar. In der Schweiz von Bexxo entwickelt, ist es die einzige vollständige CVE-Plattform auf Deutsch.
Sind die Daten zuverlässig und aktuell?
Echtzeit-Synchronisierung mit MITRE, NVD, CISA und FIRST.org. Mehr als 48 000 CVE im Jahr 2025 hinzugefügt, und die Datenbank wird stündlich aktualisiert.
Bleiben Sie einen Schritt voraus mit den neuesten kritischen Sicherheitslücken.
CVE-2026-40281 - CRITICAL
06/05/2026
Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, ...
OWSAP: A03
CVE-2026-44116 - HIGH
06/05/2026
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
ssrfOWSAP: A10
CVE-2026-44115 - HIGH
06/05/2026
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.
OWSAP: A03
CVE-2026-44110 - HIGH
06/05/2026
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior.
authorisationproblemOWSAP: A01
CVE-2026-44109 - CRITICAL
06/05/2026
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
CVE-2026-43584 - HIGH
06/05/2026
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity...
OWSAP: A03
CVE-2026-43581 - CRITICAL
06/05/2026
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration.
CVE-2026-43578 - CRITICAL
06/05/2026
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.
OWSAP: A03
CVE-2026-43575 - CRITICAL
06/05/2026
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.
authorisationproblemOWSAP: A01
CVE-2026-41938 - HIGH
06/05/2026
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP ...
fileinclusionOWSAP: A04
CVE-2026-41934 - HIGH
06/05/2026
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then up...
OWSAP: A03
CVE-2026-41930 - CRITICAL
06/05/2026
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password h...
authorisationproblemOWSAP: A07
CVE-2024-30151 - HIGH
06/05/2026
HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications
OWSAP: A09
CVE-2026-7875 - HIGH
06/05/2026
NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbi...
directorytraversalOWSAP: A01
CVE-2026-42503 - HIGH
06/05/2026
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
CVE-2026-20034 - HIGH
06/05/2026
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitr...
OWSAP: A01
CVE-2026-5081 - CRITICAL
06/05/2026
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the proces...
OWSAP: A02
CVE-2025-31951 - HIGH
06/05/2026
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
commandinjectionOWSAP: A03OWSAP: A04
CVE-2026-40010 - CRITICAL
06/05/2026
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
OWSAP: A07
CVE-2026-7841 - HIGH
06/05/2026
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.
codeinjectionOWSAP: A03
