Known Exploited Vulnerabilities

Focus on What Matters

There are 349,949 vulnerabilities in the CVE database.
Whilst only 1.1% are ever actively exploited.

This list contains the vulnerabilities that are actively exploited by malware and threat actors that you should prioritize first.

This table displays known exploited vulnerabilities (KEVs) that have been cataloged from over 60 public sources, including CISA, and our own private sensors. Each entry links to a CVE identifier, where the CVE details are enriched with EPSS scores, online mentions, scanner inclusion, exploitation, tags, and other metadata. The goal is to be an early warning system, even before being published by CISA. More data and features coming soon!

Aware of a KEV not on the list? Let us know!

CVE ID	Title	Vendor	Product	Added	Source
CVE-2025-5605	Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure	WSO2	WSO2 Identity Server, WSO2 Enterprise Integrator, WSO2 Universal Gateway, WSO2 Traffic Manager, WSO2 API Manager, WSO2 API Control Plane, WSO2 Identity Server as Key Manager, WSO2 Open Banking AM, WSO2 Open Banking IAM, org.wso2.carbon:org.wso2.carbon.ui	2026-02-15 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2025-5287	Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection	erumfaham	Likes and Dislikes Plugin	2026-02-15 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2020-11854	Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) products.	Micro Focus	Application Performance Management, Operation Bridge (containerized), Operation Bridge Manager	2026-02-15 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2024-4443	Business Directory Plugin – Easy Listing Directories for WordPress <= 6.4.2 - Unauthenticated SQL Injection via listingfields Parameter	strategy11team	Business Directory Plugin – Easy Listing Directories for WordPress	2026-02-14 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2024-45388	Arbitrary file read in the `/api/v2/simulation` endpoint in hoverfly (`GHSL-2023-274`)	SpectoLabs	hoverfly	2026-02-14 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2024-34257	TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary...	n/a	n/a	2026-02-14 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2024-49380	Plenti arbitrary file write vulnerability	plentico	plenti	2026-02-14 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2024-50334	Semicolon Path Injection on API /api;/config	Erudika	scoold	2026-02-14 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2026-21962	Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy...	Oracle Corporation	Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in	2026-02-13 12:00:09 UTC	The Shadowserver (via CIRCL)
CVE-2020-22165	PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can...	n/a	n/a	2026-02-13 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2022-3481	WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi	Unknown	WooCommerce Dropshipping	2026-02-12 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2018-14918	LOYTEC LGATE-902 6.3.2 devices allow Directory Traversal.	n/a	n/a	2026-02-11 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2025-0107	Expedition: OS Command Injection Vulnerability	Palo Alto Networks	Cloud NGFW, Expedition, Panorama, PAN-OS, Prisma Access	2026-02-11 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2025-68947	NSecsoft NSecKrnl process termination privilege escalation	NSecsoft	NSecKrnl	2026-02-10 14:44:42 UTC	The Shadowserver (via CIRCL)
CVE-2020-16139	A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through...	n/a	n/a	2026-02-10 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2021-45092	Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.	n/a	n/a	2026-02-08 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2020-35476	A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written...	n/a	n/a	2026-02-08 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2026-21858	n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling	n8n-io	n8n	2026-02-07 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2020-26948	Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.	n/a	n/a	2026-02-06 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2022-22956	VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A...	n/a	VMware Workspace ONE Access	2026-02-05 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2025-34045	WeiPHP Path Traversal Arbitrary File Read	Shenzhen Yuanmengyun Technology Co., Ltd.	WeiPHP	2026-02-04 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2023-7335	EduSoho < 22.4.7 Arbitrary File Read via classroom-course-statistics	Hangzhou Kuozhi Network Technology Co., Ltd.	EduSoho	2026-02-04 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2025-34047	Leadsec VPN Path Traversal Arbitrary File Read	Beijing NetGuard Nebula Information Technology Co., Ltd.	Leadsec SSL VPN	2026-02-04 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2025-34046	Fanwei E-Office Unauthenticated File Upload	Shanghai Fanwei Network Technology	E-Office	2026-01-30 00:00:00 UTC	The Shadowserver (via CIRCL)
CVE-2022-1386	Fusion Builder < 3.6.2 - Unauthenticated SSRF	Unknown	Fusion Builder	2026-01-30 00:00:00 UTC	The Shadowserver (via CIRCL)

Displaying vulnerabilities 376 - 400 of 3822 in total