VIR Vulnerability Intelligence Relay

Search

Found 62,165 results in 7514ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-46361 medium 6.9 6.9 23d ago phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protect…
CVE-2026-45007 medium 4.3 4.3 23d ago phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authentic…
CVE-2026-44366 medium 6.1 6.1 23d ago Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS com…
CVE-2021-47968 medium 6.4 6.4 23d ago Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description p…
CVE-2021-47967 medium 6.1 6.1 23d ago PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers …
CVE-2021-47962 medium 6.4 6.4 23d ago Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers…
CVE-2021-47958 medium 4.3 4.3 23d ago CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG file…
CVE-2026-45619 medium 6.5 6.5 wwbn 23d ago WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS …
CVE-2026-45610 medium 6.5 6.5 wwbn 23d ago WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA val…
CVE-2026-45580 medium 5.4 5.4 wwbn 23d ago WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream …
CVE-2026-23695 medium 5.4 5.4 23d ago Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option
CVE-2026-46383 medium 5.5 5.5 23d ago Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`
CVE-2026-44310 medium 5.4 5.4 debian debian 23d ago Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereference…
CVE-2026-44309 medium 5.3 5.3 debian debian 23d ago Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's …
CVE-2026-41181 medium 5.8 5.8 traefik 23d ago Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service
CVE-2026-45106 medium 5.5 23d ago Weblate: Stored HTML injection in editor search preview
CVE-2025-65954 medium 6.1 6.1 simplesamlphp 23d ago SimpleSAMLphp casserver: Open Redirect in logout
CVE-2026-45773 medium 6.5 6.5 vercel 23d ago Trubo: Login callback CSRF/session fixation
CVE-2026-8669 medium 6.5 6.5 FIX debian debian 23d ago Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized…
CVE-2026-39053 medium 6.5 6.5 23d ago Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils…
CVE-2026-39052 medium 6.5 6.5 23d ago Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled sc…
CVE-2025-67437 medium 6.5 6.5 23d ago Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
CVE-2026-8503 medium 6.5 6.5 FIX debian debian guimard 23d ago Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator re…
CVE-2026-8454 medium 5.3 5.3 tonyc 23d ago Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer G…
CVE-2026-41971 medium 5.5 5.5 23d ago Permission control vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41970 medium 6.8 6.8 23d ago Out-of-bounds write vulnerability in the distributed file system module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41969 medium 6.2 6.2 23d ago Permission control vulnerability in the projection module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41968 medium 5.9 5.9 23d ago Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41967 medium 5.9 5.9 23d ago Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41966 medium 5.6 5.6 23d ago Permission control vulnerability in the smart sensing service. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41965 medium 5.6 5.6 23d ago Use-After-Free (UAF) vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41961 medium 5.9 5.9 23d ago Permission control vulnerability in contacts. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41960 medium 5.8 5.8 23d ago Permission control vulnerability in calls. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-8425 medium 4.3 4.3 23d ago The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the _updateSettin…
CVE-2026-7563 medium 4.3 4.3 23d ago The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to t…
CVE-2026-7046 medium 4.9 4.9 23d ago The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to …
CVE-2026-6415 medium 6.4 6.4 23d ago The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON …
CVE-2026-4683 medium 6.5 6.5 23d ago The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and …
CVE-2026-6646 medium 6.4 6.4 23d ago The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitiz…
CVE-2026-24662 medium 5.4 5.4 23d ago Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script …
CVE-2025-54518 unknown slesdebian debianwindows windows google 23d ago <p>This vulnerability was found and addressed by AMD. We are documenting it in the Security Update Guide to encourage customers to install the May 2026 version of Windows as soon as possible.</p> <p>…
CVE-2026-8612 medium 5.3 5.3 sles oalders 23d ago WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache…
CVE-2026-6811 medium 5.9 5.9 debian debian 24d ago Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is…
CVE-2026-45248 medium 5.3 5.3 hedera 24d ago Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user inform…
CVE-2026-44428 medium 4.7 4.7 lfprojects 24d ago MCP Registry's GitHub OIDC tokens are replayable across registry deployments due to shared audience
CVE-2026-44427 medium 5.5 24d ago MCP Registry has open redirect via protocol-relative path in trailing-slash middleware
CVE-2026-44662 medium 5.5 FIX debian debianwindows windows 24d ago rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorr…
CVE-2026-44430 medium 4.0 4.0 lfprojects 24d ago MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
CVE-2026-44429 medium 5.4 5.4 lfprojects 24d ago MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`
CVE-2026-45366 medium 4.7 4.7 24d ago typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency bet…
CVE-2026-42573 medium 5.5 24d ago Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
CVE-2026-42567 medium 5.5 24d ago Svelte: ReDoS in `<svelte:element>` Tag Validation
CVE-2026-45397 medium 5.3 5.3 openwebui 24d ago Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
CVE-2026-45386 medium 4.3 4.3 openwebui 24d ago Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint
CVE-2026-45339 medium 6.5 6.5 openwebui 24d ago Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
CVE-2026-42599 medium 5.5 24d ago Svelte SSR vulnerable to cross-site scripting via spread attributes
CVE-2026-45314 medium 6.1 6.1 openwebui 24d ago Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
CVE-2026-45306 medium 6.5 6.5 24d ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect…
CVE-2026-8586 medium 5.5 5.5 FIX debian debianwindows windows google 24d ago Inappropriate implementation in Chromoting in Google Chrome prior to 148.0.7778.168 allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: …
CVE-2026-8584 medium 4.2 4.2 FIX debian debianmacos macoswindows windows google 24d ago Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page…
CVE-2026-8583 medium 5.3 5.3 FIX debian debianwindows windows google 24d ago Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive informa…
CVE-2026-8582 medium 5.3 5.3 FIX debian debianwindows windows google 24d ago Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium se…
CVE-2026-8576 medium 4.3 4.3 FIX debian debian linux-kernelwindows windows google 24d ago Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security sev…
CVE-2026-8570 medium 6.5 6.5 FIX debian debianwindows windows google 24d ago Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security sev…
CVE-2026-8567 medium 4.3 4.3 FIX debian debianwindows windows google 24d ago Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: …
CVE-2026-8566 medium 4.3 4.3 FIX debian debianwindows windows google 24d ago Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium sec…
CVE-2026-8565 medium 4.7 4.7 FIX debian debianmacos macoswindows windows google 24d ago Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafte…
CVE-2026-8564 medium 4.2 4.2 FIX debian debianmacos macoswindows windows google 24d ago Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: M…
CVE-2026-8563 medium 4.3 4.3 FIX debian debianwindows windows google 24d ago Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium se…
CVE-2026-8562 medium 4.3 4.3 FIX debian debianmacos macos linux-kernel google 24d ago Side-channel information leakage in Navigation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Mediu…
CVE-2026-8561 medium 5.4 5.4 FIX debian debianmacos macos linux-kernel google 24d ago Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-8560 medium 4.3 4.3 FIX debian debianmacos macoswindows windows google 24d ago Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium securi…
CVE-2026-8559 medium 4.3 4.3 FIX debian debianwindows windows google 24d ago Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium secu…
CVE-2026-8552 medium 4.3 4.3 FIX debian debianwindows windows google 24d ago Heap buffer overflow in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity…
CVE-2026-8550 medium 6.5 6.5 FIX debian debianmacos macos linux-kernel google 24d ago Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memo…
CVE-2026-8546 medium 5.3 5.3 FIX debian debianmacos macoswindows windows google 24d ago Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information fr…
CVE-2026-8543 medium 5.3 5.3 FIX debian debianmacos macoswindows windows google 24d ago Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive infor…
CVE-2026-8541 medium 5.3 5.3 FIX debian debianmacos macos linux-kernel google 24d ago Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory vi…
CVE-2026-8539 medium 5.4 5.4 FIX debian debianwindows windows google 24d ago Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s…
CVE-2026-8538 medium 5.3 5.3 FIX debian debianwindows windows google 24d ago Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a craf…
CVE-2026-8537 medium 4.3 4.3 FIX debian debianwindows windows google 24d ago Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: H…
CVE-2026-8535 medium 5.3 5.3 FIX debian debian linux-kernelwindows windows google 24d ago Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive informati…
CVE-2026-8528 medium 4.3 4.3 FIX debian debianmacos macos linux-kernel google 24d ago Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a …
CVE-2026-8516 medium 5.3 5.3 FIX debian debianmacos macos linux-kernel google 24d ago Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentia…
CVE-2026-43996 medium 5.5 5.5 debian debian openimageio 24d ago OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_…
CVE-2026-26062 medium 6.5 6.5 fleetdm 24d ago Fleet server may terminate unexpectedly when handling certain gRPC requests
CVE-2026-24000 medium 5.3 5.3 fleetdm 24d ago Fleet has a rate limiting bypass via untrusted client IP headers
CVE-2026-45299 medium 5.4 5.4 openwebui 24d ago Open WebUI has Stored Cross-Site Scripting In Profile Picture
CVE-2026-45021 medium 5.5 24d ago Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin…
CVE-2026-45148 medium 4.3 4.3 24d ago SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
CVE-2026-45147 medium 4.3 4.3 24d ago SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
CVE-2026-38740 medium 5.3 5.3 24d ago Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE creden…
CVE-2026-27680 medium 4.3 4.3 sap 24d ago Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the appl…
CVE-2026-22707 medium 5.4 5.4 strapi 24d ago Strapi Upload Plugin MIME Validation Bypass via Content API
CVE-2026-22706 medium 6.5 6.5 strapi 24d ago Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
CVE-2025-64526 medium 5.3 5.3 strapi 24d ago Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
CVE-2026-44968 medium 5.5 24d ago dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters
CVE-2026-46469 medium 5.5 5.5 FIX debian debian sles freedesktop 24d ago An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data before per…
CVE-2026-44544 medium 5.5 debian debian 24d ago gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted …
CVE-2026-44520 medium 5.7 5.7 24d ago docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler