Search

Found 33,041 results in 3970ms · Match type: Filtered list

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-45327	high	8.2	8.2				19d ago	TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the …
CVE-2026-41085	high	8.8	8.8				19d ago	Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrato…
CVE-2026-45325	high	—	8.0				19d ago	@tmlmobilidade/utils has prototype pollution in its setValueAtPath
CVE-2026-2728	low	—	2.5				19d ago	LibreNMS: Cross-Site Scripting in ShowConfigController
CVE-2026-45302	high	8.2	8.2				19d ago	parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nes…
CVE-2026-45300	high	7.4	7.4				19d ago	The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch pri…
CVE-2026-46385	high	—	8.0				19d ago	iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state ins…
CVE-2026-45270	high	—	8.0				19d ago	CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule
CVE-2026-46384	high	—	8.0				19d ago	iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before …
CVE-2026-45149	high	7.5	7.5		debian	juliangruber	19d ago	The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large num…
CVE-2025-57282	high	8.8	8.8				19d ago	ngrok is Vulnerable to Command Injection
CVE-2025-56352	high	7.5	7.5				19d ago	In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length C…
CVE-2026-41949	high	7.5	7.5			dify	19d ago	Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document acros…
CVE-2026-39079	high	7.5	7.5				19d ago	An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBas…
CVE-2026-26462	high	7.3	7.3				19d ago	Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation…
CVE-2026-45627	high	8.2	8.2				19d ago	Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query param…
CVE-2026-45135	high	—	8.0				19d ago	Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files
CVE-2026-46510	high	8.2	8.2				19d ago	form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, …
CVE-2026-42009	high	7.5	7.5	FIX	debian sles windows		19d ago	RHSA-2026:20612: gnutls security update (Important)
CVE-2026-8803	low	3.7	3.7				19d ago	A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation cau…
CVE-2026-7498	high	8.8	8.8				19d ago	Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored…
CVE-2026-6347	high	7.6	7.6			mattermost	19d ago	Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
CVE-2026-6346	high	8.7	8.7			mattermost	19d ago	Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
CVE-2026-4643	low	3.5	3.5			mattermost	19d ago	Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server …
CVE-2026-8788	high	7.3	7.3				19d ago	Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sour…
CVE-2026-6334	low	3.8	3.8			mattermost	19d ago	Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
CVE-2026-6495	high	7.1	7.1				19d ago	The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…
CVE-2026-6381	high	7.5	7.5				19d ago	The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
CVE-2026-6379	high	8.6	8.6				19d ago	The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection at…
CVE-2026-3220	high	8.8	8.8				19d ago	The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Script…
CVE-2026-8785	high	7.3	7.3				19d ago	A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Param…
CVE-2026-8776	high	8.8	8.8				19d ago	A vulnerability has been found in Edimax BR-6428NS 1.10. This vulnerability affects the function formPPTPSetup of the file /goform/formPPTPSetup of the component POST Request Handler. Such manipulati…
CVE-2026-8775	high	8.8	8.8				19d ago	A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. This manipulation of the argument L2TP…
CVE-2026-8771	high	7.3	7.3				19d ago	org.linlinjava:litemall-wx-api has an Injection issue
CVE-2026-8770	low	3.3	3.3			continue	19d ago	A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulat…
CVE-2026-45363	high	—	8.0				19d ago	ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
CVE-2026-42945	high	8.1	8.1	FIX	rhel sles debian		19d ago	RHSA-2026:18041: nginx:1.24 security update (Critical)
CVE-2026-41316	high	8.1	8.1	FIX	rhel sles debian	google	19d ago	Important: ruby:4.0 security update
CVE-2026-33416	high	—	8.0	FIX	rhel debian sles		19d ago	Important: thunderbird security update
CVE-2026-8768	high	7.3	7.3			vercel	19d ago	A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils.…
CVE-2026-8767	high	7.5	7.5			vercel	19d ago	A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manip…
CVE-2026-8764	high	7.2	7.2				19d ago	A security vulnerability has been detected in H3C Magic B3 up to 100R002. This affects the function UpdateWanParams of the file /goform/aspForm. Such manipulation of the argument param leads to buffe…
CVE-2026-46720	high	8.2	8.2				20d ago	Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources c…
CVE-2026-8759	high	7.3	7.3				20d ago	Beetl's SpELFunction extension function has an expression injection risk
CVE-2026-8758	high	7.3	7.3				20d ago	A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lea…
CVE-2026-8756	high	7.3	7.3				20d ago	A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The impacted element is the function generate_config of the file webui_preprocess.py of the comp…
CVE-2026-8755	high	7.3	7.3				20d ago	A flaw has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The affected element is the function _get_all_models of the file hiyoriUI.py of the component Model Handl…
CVE-2018-25339	high	8.2	8.2				20d ago	Zechat 1.5 contains a SQL injection vulnerability in the v parameter that allows unauthenticated attackers to extract database information using time-based blind techniques. Attackers can exploit the…
CVE-2018-25338	high	8.2	8.2				20d ago	Zechat 1.5 contains a SQL injection vulnerability in the hashtag parameter that allows unauthenticated attackers to extract database information using union-based techniques. Attackers can exploit th…
CVE-2018-25333	high	8.2	8.2				20d ago	Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …
CVE-2018-25330	high	8.2	8.2				20d ago	Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. At…
CVE-2018-25329	high	7.5	7.5				20d ago	WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attack…
CVE-2018-25328	high	8.4	8.4				20d ago	VX Search 10.6.18 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying an oversized string in the directory field. Attackers can craf…
CVE-2018-25326	high	7.5	7.5				20d ago	Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name parame…
CVE-2018-25325	high	7.5	7.5				20d ago	Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX …
CVE-2018-25323	high	8.4	8.4				20d ago	Allok AVI DivX MPEG to DVD Converter 2.6.1217 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payl…
CVE-2018-25322	high	8.4	8.4				20d ago	Allok Fast AVI MPEG Splitter 1.2 contains a stack based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious license name string. Attackers can…
CVE-2018-25319	high	7.1	7.1				20d ago	Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Att…
CVE-2026-8750	high	7.5	7.5			h2o	20d ago	A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFi…
CVE-2026-8741	low	3.1	3.1			emqx	20d ago	A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manip…
CVE-2026-8734	high	7.3	7.3				20d ago	A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this issue is the function RSQLToSQLNodeConnector.makeVariable of the component queryListByWrapper Interface. This manipulatio…
CVE-2026-8719	high	8.8	8.8				20d ago	The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in t…
CVE-2026-8725	high	7.3	7.3				20d ago	A weakness has been identified in CoreWorxLab CAAL up to 1.6.0. The affected element is an unknown function of the file src/caal/webhooks.py of the component test-hass Endpoint. This manipulation cau…
CVE-2026-8724	high	7.2	7.2			dataease	20d ago	A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results …
CVE-2026-46728	high	8.2	8.2		sles debian		20d ago	Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.
CVE-2021-47980	high	7.1	7.1				21d ago	Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log i…
CVE-2021-47979	high	8.8	8.8				21d ago	WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers …
CVE-2021-47977	high	7.5	7.5				21d ago	WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the f…
CVE-2021-47976	high	8.8	8.8				21d ago	TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can…
CVE-2021-47975	high	7.2	7.2				21d ago	WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the `fieldtitle` parameter. Attackers can submit …
CVE-2021-47974	high	7.8	7.8				21d ago	VX Search 13.5.28 contains an unquoted service path vulnerability in both VX Search Server and VX Search Enterprise services that allows local attackers to escalate privileges. Attackers can place ma…
CVE-2021-47973	high	7.5	7.5				21d ago	Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can gener…
CVE-2021-47972	high	7.5	7.5				21d ago	Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can p…
CVE-2021-47971	high	7.5	7.5				21d ago	My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a pa…
CVE-2021-47970	high	7.5	7.5				21d ago	Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload…
CVE-2021-47969	high	7.5	7.5				21d ago	Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payl…
CVE-2021-47956	high	8.2	8.2				21d ago	EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers…
CVE-2021-47954	high	8.2	8.2				21d ago	LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Attackers can send…
CVE-2021-47942	high	7.5	7.5			hacs	21d ago	Home Assistant Community Store (HACS) prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfile…
CVE-2020-37247	high	7.8	7.8				21d ago	Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers …
CVE-2020-37245	high	7.5	7.5				21d ago	Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequ…
CVE-2020-37244	high	8.2	8.2				21d ago	Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' p…
CVE-2020-37243	high	8.2	8.2				21d ago	Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl acti…
CVE-2020-37242	high	8.2	8.2				21d ago	Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parame…
CVE-2020-37232	high	7.8	7.8				21d ago	Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Atta…
CVE-2020-37231	high	7.8	7.8				21d ago	Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Atta…
CVE-2020-37230	high	7.8	7.8				21d ago	Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path…
CVE-2020-37229	high	7.8	7.8				21d ago	OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service that allows local attackers to escalate privileges by inserting executable files into the unqu…
CVE-2020-37227	high	8.8	8.8				21d ago	HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can…
CVE-2026-8657	high	8.2	8.2				21d ago	Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform pro…
CVE-2026-8700	high	7.3	7.3	FIX	debian		21d ago	Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
CVE-2026-45665	high	8.1	8.1			openwebui	21d ago	Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order
CVE-2026-45316	low	3.5	3.5			openwebui	21d ago	Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)
CVE-2026-45315	high	8.7	8.7			openwebui	21d ago	Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
CVE-2026-45301	high	8.1	8.1			openwebui	21d ago	Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
CVE-2026-44570	high	8.3	8.3			openwebui	21d ago	Open WebUI has inconsistent authorization controls within memories API
CVE-2026-44569	high	7.1	7.1			openwebui	21d ago	Open WebUI's Insecure Message Access Breaks Authorization
CVE-2026-44565	high	8.1	8.1			openwebui	21d ago	Open WebUI Arbitrary File Write, Delete via Path Traversal
CVE-2026-44549	high	8.7	8.7			openwebui	21d ago	Open WebUI has stored XSS in Excel file preview
CVE-2026-46367	high	7.6	7.6				21d ago	phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craf…