Detections
Analytics

CVEs

Tenable maintains a list of Common Vulnerabilities and Exposures (CVEs) and their affected products. Tenable augments the data to include related Tenable Plugins that detect each vulnerability. 332946 CVEs are indexed from NVD.

RSS Feeds

Search

Vulnerability Watch ›

  • CVE-2026-1340
    criticalVulnerability of Interest

    Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.

  • CVE-2026-1281
    criticalVulnerability of Interest

    Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.

  • CVE-2025-40551
    criticalVulnerability of Interest

    This critical vulnerability affecting SolarWinds Web Help Desk has been reportedly exploited in the wild and should be remediated as soon as possible.

  • CVE-2026-1731
    criticalVulnerability Being Monitored

    This critical severity remote code execution vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access should be patched as soon as possible.

  • CVE-2025-40554
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2025-40553
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2025-40552
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

Newest ›

  • CVE-2026-1357
    critical

    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.

  • CVE-2026-1235
    critical

    The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

  • CVE-2025-15400
    medium

    The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.

  • CVE-2026-26079
    medium

    Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

  • CVE-2026-26044
    No Score

    Rejected reason: Not used

  • CVE-2026-26043
    No Score

    Rejected reason: Not used

  • CVE-2026-26042
    No Score

    Rejected reason: Not used

  • CVE-2026-26041
    No Score

    Rejected reason: Not used

  • CVE-2026-26040
    No Score

    Rejected reason: Not used

  • CVE-2026-26039
    No Score

    Rejected reason: Not used

Updated ›