Warum die Überwachung von Schwachstellen für Ihr Unternehmen kritisch ist
Im Jahr 2025 wurden 48 185 neue Schwachstellen (CVE) veröffentlicht — ein Anstieg von 20 % gegenüber 2024. Im Jahr 2026 beschleunigt sich der Trend noch weiter. Jeden Tag werden mehr als 130 Sicherheitslücken öffentlich gemacht, von denen einige die Software betreffen, die Ihr Unternehmen täglich nutzt.
Laut dem Verizon Data Breach Investigations Report nutzen 60 % der Datenverletzungen Schwachstellen aus, für die zum Zeitpunkt des Angriffs bereits ein Patch vorhanden war. Das Problem ist nicht das Fehlen von Patches — es ist das Fehlen von Überwachung. Kein IT-Team kann manuell 130 CVE pro Tag verfolgen.
Avec CVE Find, explorez la plus grande base de données de vulnérabilités au monde.
Le CVE (Common Vulnerabilities and Exposures) est une liste de failles de sécurité informatique divulguées publiquement. Le programme CVE a pour objectif de faciliter le partage des données entre les différentes capacités de détection des vulnérabilités, qu'il s'agisse d'outils, de bases de données ou de services. Il fournit également une norme pour évaluer la couverture de ces outils et services.
Accédez à CVE Find
Was CVE Find für Sie tut
Wie werde ich in Echtzeit gewarnt?
CVE Find benachrichtigt Sie per E-Mail und SMS, sobald eine Schwachstelle Ihre Produkte betrifft. Konfigurierbare Frequenz: von der sofortigen Benachrichtigung bis zur monatlichen Zusammenfassung.
Sind meine Softwareprodukte anfällig?
Konfigurieren Sie Ihre Produkte (CMS, Server, Bibliotheken) über den CPE-Katalog. CVE Find überwacht die MITRE-Datenbank kontinuierlich und warnt Sie automatisch. 338 000+ CVE indexiert.
Wie priorisiere ich Patches?
Die CVSS-Bewertung (Schweregrad) und EPSS (Wahrscheinlichkeit einer tatsächlichen Ausnutzung) zeigen Ihnen, was zuerst korrigiert werden muss. Keine falschen Positiven mehr.
Welche Schwachstellen werden aktiv ausgenutzt?
Der integrierte CISA KEV-Katalog identifiziert Schwachstellen, die bereits in der Praxis ausgenutzt werden. Dies sind die Lücken, die mit absoluter Priorität zu schliessen sind.
Ist die Plattform auf Deutsch verfügbar?
Ja. CVE Find ist in Französisch, Englisch und Deutsch verfügbar. In der Schweiz von Bexxo entwickelt, ist es die einzige vollständige CVE-Plattform auf Deutsch.
Sind die Daten zuverlässig und aktuell?
Echtzeit-Synchronisierung mit MITRE, NVD, CISA und FIRST.org. Mehr als 48 000 CVE im Jahr 2025 hinzugefügt, und die Datenbank wird stündlich aktualisiert.
Bleiben Sie einen Schritt voraus mit den neuesten kritischen Sicherheitslücken.
CVE-2026-5366 - CRITICAL
20/06/2026
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execu...
codeinjectionOWSAP: A03
CVE-2022-50972 - CRITICAL
20/06/2026
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
codeinjectionOWSAP: A03
CVE-2020-37255 - HIGH
20/06/2026
WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.
OWSAP: A07
CVE-2026-48908 - CRITICAL
20/06/2026
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
OWSAP: A01
CVE-2026-11551 - CRITICAL
19/06/2026
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their ac...
OWSAP: A07
CVE-2026-56082 - HIGH
19/06/2026
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function u...
OWSAP: A01
CVE-2026-8806 - HIGH
19/06/2026
Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the prod...
CVE-2026-56012 - HIGH
18/06/2026
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35.
sqlinjectionOWSAP: A03
CVE-2026-8461 - HIGH
18/06/2026
An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.
overflow
CVE-2026-9860 - HIGH
18/06/2026
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config....
fileinclusionOWSAP: A04
CVE-2026-12569 - CRITICAL
18/06/2026
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
OWSAP: A03OWSAP: A08
CVE-2026-48768 - CRITICAL
17/06/2026
TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to att...
directorytraversalcrosssitescriptingOWSAP: A01OWSAP: A03
CVE-2026-55200 - CRITICAL
17/06/2026
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
CVE-2026-48797 - CRITICAL
16/06/2026
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:...
authorisationproblemOWSAP: A01
CVE-2026-22313 - CRITICAL
16/06/2026
The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.
oscommandinjectionOWSAP: A03
CVE-2026-22312 - HIGH
16/06/2026
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).
OWSAP: A07
CVE-2026-53853 - HIGH
16/06/2026
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or...
authorisationproblemOWSAP: A01
CVE-2026-53843 - HIGH
16/06/2026
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
authorisationproblemOWSAP: A07
CVE-2026-53776 - CRITICAL
16/06/2026
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indef...
authorisationproblemOWSAP: A07
CVE-2026-44932 - HIGH
16/06/2026
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
oscommandinjectionOWSAP: A03
