VIR Vulnerability Intelligence Relay

Search

Found 90,849 results in 4431ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-9200 high 7.5 7.5 11d ago The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attacke…
CVE-2026-8702 medium 6.4 6.4 11d ago The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in…
CVE-2026-8938 medium 4.3 4.3 11d ago The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_…
CVE-2026-8939 medium 4.3 4.3 11d ago The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_sim…
CVE-2026-8842 medium 6.4 6.4 11d ago The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sani…
CVE-2026-8703 medium 6.4 6.4 11d ago The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and ou…
CVE-2026-8868 medium 6.4 6.4 11d ago The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient inpu…
CVE-2026-8698 medium 6.4 6.4 11d ago The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode(…
CVE-2026-8837 medium 6.4 6.4 11d ago The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insuffi…
CVE-2026-8877 medium 6.4 6.4 11d ago The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input …
CVE-2026-6287 medium 5.4 5.4 11d ago The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks…
CVE-2026-9236 medium 4.3 4.3 11d ago The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due…
CVE-2025-14481 medium 4.3 4.3 11d ago The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search R…
CVE-2026-49000 high 7.0 7.0 11d ago An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to data leakag…
CVE-2026-48962 high 7.3 7.3 FIX debian debianwindows windows 11d ago IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in …
CVE-2026-2253 high 7.7 7.7 11d ago Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
CVE-2026-2255 medium 4.3 4.3 11d ago Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Al…
CVE-2026-2254 medium 6.3 6.3 11d ago Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notficatio…
CVE-2026-48961 high 7.3 7.3 FIX debian debian 11d ago IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/…
CVE-2026-48959 high 7.5 7.5 FIX debian debian 11d ago IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) agains…
CVE-2026-9022 medium 6.4 6.4 11d ago The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitizatio…
CVE-2025-15649 medium 5.5 5.5 FIX slesdebian debianwindows windows 11d ago IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification da…
CVE-2026-48999 medium 5.7 5.7 11d ago Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically lo…
CVE-2026-49017 unknown FIX debian debian 11d ago In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty bu…
CVE-2026-49014 high 7.8 7.8 FIX slesdebian debian osgeo 12d ago In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer with…
CVE-2026-9632 high 8.8 8.8 12d ago A flaw has been found in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this issue is the function strcpy of the file /goform/formGroupConfig of the component Web Management Interface. Execu…
CVE-2026-6565 medium 6.4 6.4 12d ago The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endp…
CVE-2026-7493 medium 5.3 5.3 12d ago The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a…
CVE-2026-9207 high 8.8 8.8 tanium 12d ago Tanium addressed an unauthorized code execution vulnerability in Connect.
CVE-2026-9156 high 7.5 7.5 tanium 12d ago Tanium addressed a denial of service vulnerability in Tanium Server.
CVE-2026-9631 high 8.8 8.8 12d ago A vulnerability was detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this vulnerability is the function strcpy of the file /goform/formConfigFastDirectionW of the component Web Man…
CVE-2026-9628 high 8.8 8.8 12d ago A weakness has been identified in UTT HiPER 1200GW up to 2.5.3-170306. Affected is an unknown function of the file /goform/formPptpClientConfig of the component Web Management Interface. This manipul…
CVE-2026-9627 high 8.8 8.8 12d ago A security flaw has been discovered in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/setSysAdm of the component Web Management Interface. The manipulation …
CVE-2026-44979 medium 5.5 12d ago @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects
CVE-2026-44974 high 8.0 12d ago @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
CVE-2026-44741 high 8.0 12d ago Pimcore Admin Classic Bundle Vulnerable to SQL Injection in Translation Grid Date Filter via Unsanitized Property Parameter
CVE-2026-44739 high 8.0 12d ago Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration
CVE-2026-44705 high 8.0 12d ago tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
CVE-2026-9609 medium 4.7 4.7 12d ago A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remot…
CVE-2026-44646 medium 5.5 12d ago LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
CVE-2026-9607 medium 6.3 6.3 12d ago A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results …
CVE-2026-9605 high 7.3 7.3 12d ago A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer ove…
CVE-2026-44645 medium 5.5 12d ago LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
CVE-2026-44644 medium 5.5 12d ago LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
CVE-2026-44596 medium 6.5 EXP 12d ago Yamcs has No Rate Limiting on Authentication Endpoint
CVE-2026-44595 medium 6.5 EXP 12d ago Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints
CVE-2026-44587 medium 5.5 12d ago CarrierWave has a denylisted_content_type bypass via
CVE-2026-9312 high 8.2 8.2 github 12d ago A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insu…
CVE-2026-8975 high 8.8 8.8 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8974 high 8.8 8.8 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8970 high 8.8 8.8 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8968 high 7.5 7.5 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8962 high 8.1 8.1 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8961 medium 6.5 6.5 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8958 high 8.6 8.6 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8957 high 8.8 8.8 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8955 high 8.8 8.8 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8954 high 7.5 7.5 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8947 high 7.3 7.3 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8946 high 7.5 7.5 FIX rheldebian debian sles mozilla 12d ago Important: thunderbird security update
CVE-2026-8391 medium 5.3 5.3 FIX rheldebian debianalmalinux almalinux mozilla 12d ago Important: thunderbird security update
CVE-2026-8388 medium 6.5 6.5 FIX rheldebian debianalmalinux almalinux mozilla 12d ago Important: thunderbird security update
CVE-2026-47737 unknown 12d ago Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on
CVE-2026-47736 unknown 12d ago Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
CVE-2026-42899 high 7.5 7.5 FIX rhelmacos macos linux-kernel microsoft 12d ago Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2026-38945 high 7.8 7.8 12d ago Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of …
CVE-2026-38931 medium 5.4 5.4 12d ago A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
CVE-2026-38930 medium 6.5 6.5 12d ago OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the …
CVE-2026-38808 medium 5.3 5.3 12d ago SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components
CVE-2026-38807 high 8.8 8.8 12d ago Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component
CVE-2026-38427 high 7.3 7.3 12d ago An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t varia…
CVE-2026-38426 high 7.3 7.3 12d ago Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the xdrv_10_scripter.ino, fetch_jpg(), jpg_task.boundary[40], strcpy() fu…
CVE-2026-38422 high 7.3 7.3 12d ago Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() functio…
CVE-2026-37713 high 7.3 7.3 12d ago An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.
CVE-2026-37712 high 7.3 7.3 12d ago An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in fun…
CVE-2026-37711 high 7.3 7.3 12d ago An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php
CVE-2026-36540 high 7.3 7.3 12d ago Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to …
CVE-2026-36539 high 7.3 7.3 12d ago Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the L…
CVE-2026-36538 high 7.3 7.3 12d ago Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacke…
CVE-2026-36045 high 7.3 7.3 12d ago picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a d…
CVE-2026-36044 high 8.8 8.8 12d ago @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenati…
CVE-2026-34043 high 8.0 FIX rheldebian debianalmalinux almalinux 12d ago RHSA-2026:21291: .NET 8.0 security update (Important)
CVE-2026-31266 high 7.3 7.3 12d ago Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).
CVE-2026-30498 medium 6.3 6.3 12d ago A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0.
CVE-2025-70116 medium 4.3 4.3 debian debian 12d ago A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media…
CVE-2025-70103 high 7.3 7.3 slesdebian debian 12d ago Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc.
CVE-2025-69600 high 7.8 7.8 12d ago Command injection in Raynet rvia RayVentory Scan Engine 12.6 Update 8 and previous versions allows adversaries to execute commands via getconfig, upload, inventory, and oracle options.
CVE-2025-68712 medium 5.5 5.5 12d ago SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mec…
CVE-2025-67903 medium 5.3 5.3 12d ago Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.
CVE-2026-8606 medium 5.9 5.9 github 12d ago A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security…
CVE-2026-44210 medium 5.5 12d ago Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations
CVE-2026-44177 high 8.0 12d ago Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
CVE-2026-44176 medium 5.5 12d ago Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
CVE-2026-44175 high 8.0 12d ago Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
CVE-2026-44174 high 8.0 12d ago Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
CVE-2026-43947 high 8.0 12d ago FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
CVE-2026-43946 high 8.0 12d ago FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
CVE-2026-43945 high 8.0 12d ago FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
CVE-2026-42568 medium 6.5 EXP 12d ago Yamcs Vulnerable to LDAP Injection in LdapAuthModule
CVE-2026-42462 high 8.0 12d ago Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring