Detections
Analytics
CVEs
Tenable maintains a list of Common Vulnerabilities and Exposures (CVEs) and their affected products. Tenable augments the data to include related Tenable Plugins that detect each vulnerability. 332718 CVEs are indexed from NVD.
RSS Feeds
Search
Vulnerability Watch ›
CVE-2026-1340
criticalVulnerability of Interest
Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.
CVE-2026-1281
criticalVulnerability of Interest
Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.
CVE-2025-40551
criticalVulnerability of Interest
This critical vulnerability affecting SolarWinds Web Help Desk has been reportedly exploited in the wild and should be remediated as soon as possible.
CVE-2026-24858
criticalVulnerability of Interest
Fortinet has observed in the wild exploitation of this vulnerability. Customers must upgrade to the latest versions in order to use FortiCloud SSO authentication
CVE-2026-1731
criticalVulnerability Being Monitored
This critical severity remote code execution vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access should be patched as soon as possible.
CVE-2025-40554
criticalVulnerability Being Monitored
This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past
CVE-2025-40553
criticalVulnerability Being Monitored
This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past
CVE-2025-40552
criticalVulnerability Being Monitored
This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past
Newest ›
CVE-2026-22153
high
An Authentication Bypass by Primary Weakness vulnerability [CWE-305] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4 may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, when the remote LDAP server is configured in a specific way.
CVE-2026-21743
high
A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint.
CVE-2026-1774
critical
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
CVE-2026-1603
high
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
CVE-2026-1602
medium
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
CVE-2025-70347
medium
An issue in mquickjs before commit 74b7e (2026-01-15) allows a local attacker to cause a denial of service via a crafted file to the get_mblock_size function at mquickjs.c.
CVE-2025-68686
medium
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via another vulnerability, at filesystem level.
CVE-2025-64157
medium
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration.
CVE-2025-62676
high
An Improper Link Resolution Before File Access ('Link Following') vulnerability [CWE-59] vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.4, FortiClientWindows 7.2.0 through 7.2.12, FortiClientWindows 7.0 all versions may allow a local low-privilege attacker to perform an arbitrary file write with elevated permissions via crafted named pipe messages.
CVE-2025-62439
medium
An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions may allow an authenticated user with knowledge of FSSO policy configurations to gain unauthorized access to protected network resources via crafted requests.
Updated ›
CVE-2026-25981
No Score
Rejected reason: Not used
CVE-2026-25980
No Score
Rejected reason: Not used
CVE-2026-25979
No Score
Rejected reason: Not used
CVE-2026-25978
No Score
Rejected reason: Not used
CVE-2026-25977
No Score
Rejected reason: Not used
CVE-2026-25976
No Score
Rejected reason: Not used
CVE-2026-25975
No Score
Rejected reason: Not used
CVE-2026-25974
No Score
Rejected reason: Not used
CVE-2026-25973
No Score
Rejected reason: Not used
CVE-2026-25961
high
SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.