VIR Vulnerability Intelligence Relay

Search

Found 45,401 results in 2338ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-46547 medium 5.5 15d ago NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
CVE-2026-46668 low 2.5 15d ago SpiceDB: Caveat structures with nested lists can result in improper cache reuse
CVE-2026-46683 medium 5.5 15d ago Snappy : SSRF and local file read via the xsl-style-sheet option
CVE-2026-46618 medium 5.5 15d ago Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
CVE-2026-4843 medium 4.3 4.3 15d ago The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and …
CVE-2026-46616 medium 5.5 15d ago Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
CVE-2026-46561 medium 5.0 5.0 15d ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An…
CVE-2026-46543 medium 5.5 15d ago nimiq-blockchain: Genesis batch set request
CVE-2026-46542 medium 5.5 15d ago nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points
CVE-2026-46539 medium 5.5 15d ago nimiq-primitives: BlockInclusionProof interlink issue when hops are empty
CVE-2026-46497 low 2.5 15d ago Crawlee for Python: SSRF via sitemap-derived URLs
CVE-2026-48249 medium 5.9 5.9 15d ago Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing …
CVE-2026-48248 medium 5.9 5.9 15d ago Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound H…
CVE-2026-48247 medium 5.9 5.9 15d ago Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbou…
CVE-2026-48246 medium 5.9 5.9 15d ago Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTT…
CVE-2026-48245 medium 5.3 5.3 15d ago Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the sour…
CVE-2026-48244 medium 5.3 5.3 15d ago Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to th…
CVE-2026-48243 medium 5.3 5.3 15d ago Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can ext…
CVE-2026-48230 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsan…
CVE-2026-48229 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va…
CVE-2026-48228 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v…
CVE-2026-48227 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val…
CVE-2026-48226 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va…
CVE-2026-48225 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value…
CVE-2026-48224 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-48223 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va…
CVE-2026-48222 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-48221 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val…
CVE-2026-48220 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-48219 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-48218 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an uns…
CVE-2026-48217 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitiz…
CVE-2026-48216 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v…
CVE-2026-48215 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-48214 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-39593 medium 6.5 6.5 15d ago Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10.
CVE-2026-48213 medium 5.4 5.4 15d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value t…
CVE-2026-46486 medium 5.5 15d ago Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing
CVE-2026-46403 medium 5.5 15d ago Klever-Go KVM read-only execution can commit contract delete and upgrade side effects
CVE-2026-36189 medium 6.2 6.2 15d ago Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial…
CVE-2026-1816 medium 6.3 6.3 15d ago Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Appli…
CVE-2026-1815 medium 5.7 5.7 15d ago Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 b…
CVE-2026-34926 medium 6.7 8.2 KEV trendmicro 15d ago Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to depl…
CVE-2026-6841 medium 6.1 6.1 FIX debian debian bestpractical 15d ago Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary Jav…
CVE-2026-0393 medium 6.5 6.5 codesys 15d ago The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerabil…
CVE-2026-45254 medium 6.5 6.5 freebsd freebsd 15d ago In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an…
CVE-2026-45252 medium 5.5 5.5 freebsd freebsd 15d ago When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE …
CVE-2026-42396 medium 6.5 6.5 FIX debian debian powerdns 15d ago Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVE-2026-41999 medium 4.8 4.8 FIX debian debian powerdns 15d ago Incorrect Behaviour of Views with TCP PROXY Requests
CVE-2026-7837 low 3.7 3.7 FIX slesdebian debian 15d ago A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited da…
CVE-2026-44075 low 3.7 3.7 FIX slesdebian debian 15d ago A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session op…
CVE-2026-44074 low 3.7 3.7 FIX slesdebian debian 15d ago Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker…
CVE-2026-44071 low 3.7 3.7 FIX slesdebian debian 15d ago Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of servic…
CVE-2026-44057 low 3.1 3.1 FIX slesdebian debian 15d ago A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authen…
CVE-2026-27393 medium 5.3 5.3 15d ago Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6.
CVE-2026-27349 medium 4.3 4.3 15d ago Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a t…
CVE-2026-22880 medium 6.1 6.1 15d ago Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Ma…
CVE-2026-7836 low 3.1 3.1 FIX slesdebian debian 16d ago An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification v…
CVE-2026-7835 low 3.1 3.1 FIX slesdebian debian 16d ago A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string pro…
CVE-2026-4055 medium 4.3 4.3 mattermost 16d ago Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in…
CVE-2026-44076 medium 6.7 6.7 FIX slesdebian debian 16d ago Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path.
CVE-2026-44073 medium 5.0 5.0 FIX slesdebian debian 16d ago Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid(), which may allow a remote authenticated attacker to retain elevated privileges under error condition…
CVE-2026-44072 low 3.0 3.0 FIX slesdebian debian 16d ago Netatalk 2.2.1 through 4.4.2 calls system() after a failed chdir() without properly handling the error condition, which allows a local privileged user to execute unintended commands or cause a minor …
CVE-2026-44070 low 3.1 3.1 FIX slesdebian debian 16d ago An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character convers…
CVE-2026-44069 low 3.9 3.9 FIX slesdebian debian 16d ago An integer underflow in the volxlate function in Netatalk 3.0.0 through 4.4.2 allows a local privileged user to obtain limited information, modify limited data, or cause a minor service disruption vi…
CVE-2026-44067 medium 4.2 4.2 FIX slesdebian debian 16d ago A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via…
CVE-2026-44065 medium 4.2 4.2 FIX slesdebian debian 16d ago An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44063 medium 4.2 4.2 FIX slesdebian debian 16d ago An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted fil…
CVE-2026-44061 medium 5.9 5.9 FIX slesdebian debian 16d ago Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44059 medium 4.5 4.5 FIX slesdebian debian 16d ago A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption.
CVE-2026-44056 medium 6.4 6.4 FIX slesdebian debian 16d ago A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44054 medium 6.5 6.5 FIX slesdebian debian 16d ago Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect m…
CVE-2026-2734 medium 6.5 6.5 lfprojects 16d ago In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authenticati…
CVE-2026-1543 medium 6.4 6.4 16d ago The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitizatio…
CVE-2026-4811 medium 4.9 4.9 16d ago The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all version…
CVE-2026-1881 medium 4.3 4.3 16d ago The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on…
CVE-2026-9149 medium 6.5 6.5 FIX debian debian sleswindows windows opensuseredhat 16d ago A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. T…
CVE-2026-9150 medium 6.5 6.5 FIX debian debian sleswindows windows opensuseredhat 16d ago A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could …
CVE-2026-47782 low 3.3 3.3 16d ago Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web p…
CVE-2026-40102 medium 6.5 6.5 plane 16d ago Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without vali…
CVE-2026-40094 medium 4.3 4.3 16d ago nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and s…
CVE-2026-9136 medium 6.5 6.5 misp 16d ago A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the …
CVE-2026-9124 medium 5.3 5.3 FIX debian debianmacos macos linux-kernel google 16d ago Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a craf…
CVE-2026-9122 medium 6.5 6.5 FIX debian debianmacos macoswindows windows google 16d ago Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium …
CVE-2026-9116 medium 4.3 4.3 FIX debian debianmacos macos linux-kernel google 16d ago Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: …
CVE-2026-9115 medium 4.3 4.3 FIX debian debianmacos macos linux-kernel google 16d ago Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severi…
CVE-2026-9113 medium 4.3 4.3 FIX debian debianmacos macos linux-kernel google 16d ago Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
CVE-2026-9110 medium 4.2 4.2 FIX debian debianmacos macos linux-kernel google 16d ago Inappropriate implementation in UI in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML pag…
CVE-2026-47099 medium 6.1 6.1 16d ago TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
CVE-2026-39311 medium 6.8 6.8 16d ago Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of S…
CVE-2026-35016 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-35015 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitize…
CVE-2026-35014 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v…
CVE-2026-35013 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized va…
CVE-2026-35012 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized…
CVE-2026-35011 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in opena.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value…
CVE-2026-35010 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_JF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized …
CVE-2026-35009 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va…
CVE-2026-35008 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…
CVE-2026-35007 medium 4.6 4.6 16d ago Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single_unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized…