Why vulnerability monitoring is critical for your business
In 2025, 48,185 new vulnerabilities (CVEs) were published — a 20% increase compared to 2024. In 2026, the trend is accelerating further. Every day, more than 130 flaws are made public, some of which affect the software your business uses daily.
According to the Verizon Data Breach Investigations Report, 60% of data breaches exploit vulnerabilities for which a patch already existed at the time of the attack. The problem is not the absence of patches — it is the absence of monitoring. No IT team can manually track 130 CVEs per day.
Avec CVE Find, explorez la plus grande base de données de vulnérabilités au monde.
Le CVE (Common Vulnerabilities and Exposures) est une liste de failles de sécurité informatique divulguées publiquement. Le programme CVE a pour objectif de faciliter le partage des données entre les différentes capacités de détection des vulnérabilités, qu'il s'agisse d'outils, de bases de données ou de services. Il fournit également une norme pour évaluer la couverture de ces outils et services.
Accédez à CVE Find
What CVE Find does for you
How can I be alerted in real time?
CVE Find notifies you by email and SMS as soon as a vulnerability affects your products. Configurable frequency: from instant alerts to monthly summaries.
Are my software products vulnerable?
Configure your products (CMS, servers, libraries) via the CPE catalogue. CVE Find continuously monitors the MITRE database and alerts you automatically. 338,000+ CVEs indexed.
How do I prioritise patches?
CVSS scoring (severity) and EPSS (probability of real-world exploitation) show you what to fix first. No more false positives.
Which vulnerabilities are being actively exploited?
The integrated CISA KEV catalogue identifies vulnerabilities already exploited in the wild. These are the flaws to fix with absolute top priority.
Is the platform available in English?
Yes. CVE Find is available in French, English and German. Developed in Switzerland by Bexxo, it is the only comprehensive French-language CVE platform.
Is the data reliable and up to date?
Real-time synchronisation with MITRE, NVD, CISA and FIRST.org. More than 48,000 CVEs added in 2025, and the database is enriched every hour.
Stay ahead with the latest critical security vulnerabilities.
CVE-2026-5366 - CRITICAL
20/06/2026
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execu...
codeinjectionOWSAP: A03
CVE-2022-50972 - CRITICAL
20/06/2026
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
codeinjectionOWSAP: A03
CVE-2020-37255 - HIGH
20/06/2026
WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.
OWSAP: A07
CVE-2026-48908 - CRITICAL
20/06/2026
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
OWSAP: A01
CVE-2026-11551 - CRITICAL
19/06/2026
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their ac...
OWSAP: A07
CVE-2026-56082 - HIGH
19/06/2026
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function u...
OWSAP: A01
CVE-2026-8806 - HIGH
19/06/2026
Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the prod...
CVE-2026-56012 - HIGH
18/06/2026
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35.
sqlinjectionOWSAP: A03
CVE-2026-8461 - HIGH
18/06/2026
An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.
overflow
CVE-2026-9860 - HIGH
18/06/2026
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config....
fileinclusionOWSAP: A04
CVE-2026-12569 - CRITICAL
18/06/2026
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
OWSAP: A03OWSAP: A08
CVE-2026-48768 - CRITICAL
17/06/2026
TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to att...
directorytraversalcrosssitescriptingOWSAP: A01OWSAP: A03
CVE-2026-55200 - CRITICAL
17/06/2026
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
CVE-2026-48797 - CRITICAL
16/06/2026
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:...
authorisationproblemOWSAP: A01
CVE-2026-22313 - CRITICAL
16/06/2026
The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.
oscommandinjectionOWSAP: A03
CVE-2026-22312 - HIGH
16/06/2026
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).
OWSAP: A07
CVE-2026-53853 - HIGH
16/06/2026
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or...
authorisationproblemOWSAP: A01
CVE-2026-53843 - HIGH
16/06/2026
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
authorisationproblemOWSAP: A07
CVE-2026-53776 - CRITICAL
16/06/2026
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indef...
authorisationproblemOWSAP: A07
CVE-2026-44932 - HIGH
16/06/2026
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
oscommandinjectionOWSAP: A03
