Detections
Analytics

CVEs

Tenable maintains a list of Common Vulnerabilities and Exposures (CVEs) and their affected products. Tenable augments the data to include related Tenable Plugins that detect each vulnerability. 332390 CVEs are indexed from NVD.

RSS Feeds

Search

Vulnerability Watch ›

  • CVE-2026-1340
    criticalVulnerability of Interest

    Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.

  • CVE-2026-1281
    criticalVulnerability of Interest

    Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.

  • CVE-2025-40551
    criticalVulnerability of Interest

    This critical vulnerability affecting SolarWinds Web Help Desk has been reportedly exploited in the wild and should be remediated as soon as possible.

  • CVE-2026-24858
    criticalVulnerability of Interest

    Fortinet has observed in the wild exploitation of this vulnerability. Customers must upgrade to the latest versions in order to use FortiCloud SSO authentication

  • CVE-2026-21509
    highVulnerability of Interest

    Microsoft released this out of band update to address a security feature bypass vulnerability that has been exploited in the wild. Immediate patching is recommended

  • CVE-2024-37079
    criticalVulnerability of Interest

    Exploitation has been reported for this VMware vCenter Server vulnerability. Patches are available and should be applied as soon as possible.

  • CVE-2025-40554
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2025-40553
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2025-40552
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2026-22709
    criticalVulnerability Being Monitored

    This critical sandbox escape vulnerability affects the Node.js library and can be abused to execute commands. Immediate patching is recommended.

Newest ›

  • CVE-2026-2115
    medium

    A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

  • CVE-2026-2114
    medium

    A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.

  • CVE-2026-25859
    high

    Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

  • CVE-2026-25858
    critical

    macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

  • CVE-2026-25857
    high

    Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

  • CVE-2026-25568
    high

    WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.

  • CVE-2026-25567
    medium

    WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

  • CVE-2026-25566
    high

    WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.

  • CVE-2026-25565
    high

    WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

  • CVE-2026-25564
    high

    WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

Updated ›

  • CVE-2026-25859
    high

    Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

  • CVE-2026-25858
    critical

    macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

  • CVE-2026-25857
    high

    Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

  • CVE-2026-25845
    No Score

    Rejected reason: Not used

  • CVE-2026-25844
    No Score

    Rejected reason: Not used

  • CVE-2026-25843
    No Score

    Rejected reason: Not used

  • CVE-2026-25842
    No Score

    Rejected reason: Not used

  • CVE-2026-25841
    No Score

    Rejected reason: Not used

  • CVE-2026-25840
    No Score

    Rejected reason: Not used

  • CVE-2026-25839
    No Score

    Rejected reason: Not used