Detections
Analytics

CVEs

Tenable maintains a list of Common Vulnerabilities and Exposures (CVEs) and their affected products. Tenable augments the data to include related Tenable Plugins that detect each vulnerability. 332668 CVEs are indexed from NVD.

RSS Feeds

Search

Vulnerability Watch ›

  • CVE-2026-1340
    criticalVulnerability of Interest

    Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.

  • CVE-2026-1281
    criticalVulnerability of Interest

    Two Ivanti Endpoint Manager Mobile zero-day flaws were exploited in the wild in limited attacks. Apply the available patches immediately.

  • CVE-2025-40551
    criticalVulnerability of Interest

    This critical vulnerability affecting SolarWinds Web Help Desk has been reportedly exploited in the wild and should be remediated as soon as possible.

  • CVE-2026-24858
    criticalVulnerability of Interest

    Fortinet has observed in the wild exploitation of this vulnerability. Customers must upgrade to the latest versions in order to use FortiCloud SSO authentication

  • CVE-2026-1731
    criticalVulnerability Being Monitored

    This critical severity remote code execution vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access should be patched as soon as possible.

  • CVE-2025-40554
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2025-40553
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

  • CVE-2025-40552
    criticalVulnerability Being Monitored

    This critical vulnerability affecting SolarWinds Web Help Desk should be remediated as soon as possible. Solar Winds products have been highly targeted in the past

Newest ›

  • CVE-2026-0996
    medium

    The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows Subscriber-level users to trigger AI form generation via a protected endpoint. When prompted, AI services will typically return bare JavaScript code (without <script> tags), which bypasses the plugin's sanitization. This stored JavaScript executes whenever anyone views the generated form, making it possible for authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts that will execute in the context of any user accessing the form.

  • CVE-2025-13064
    medium

    A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with.

  • CVE-2025-12757
    medium

    An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitted to.

  • CVE-2025-11547
    high

    AXIS Camera Station Pro contained a flaw to perform a privilege escalation attack on the server as a non-admin user.

  • CVE-2025-11142
    high

    The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account.

  • CVE-2025-12063
    medium

    An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions.

  • CVE-2026-25981
    No Score

    Rejected reason: Not used

  • CVE-2026-25980
    No Score

    Rejected reason: Not used

  • CVE-2026-25979
    No Score

    Rejected reason: Not used

  • CVE-2026-25978
    No Score

    Rejected reason: Not used

Updated ›

  • CVE-2026-25981
    No Score

    Rejected reason: Not used

  • CVE-2026-25980
    No Score

    Rejected reason: Not used

  • CVE-2026-25979
    No Score

    Rejected reason: Not used

  • CVE-2026-25978
    No Score

    Rejected reason: Not used

  • CVE-2026-25977
    No Score

    Rejected reason: Not used

  • CVE-2026-25976
    No Score

    Rejected reason: Not used

  • CVE-2026-25975
    No Score

    Rejected reason: Not used

  • CVE-2026-25974
    No Score

    Rejected reason: Not used

  • CVE-2026-25973
    No Score

    Rejected reason: Not used

  • CVE-2026-24328
    medium

    SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.