VIR Vulnerability Intelligence Relay

Search

Found 58,595 results in 2511ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2021-47924 medium 6.4 6.4 28d ago Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit…
CVE-2021-47923 critical 9.8 9.8 28d ago OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID c…
CVE-2021-47922 medium 6.4 6.4 28d ago Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScrip…
CVE-2021-47910 medium 6.4 6.4 28d ago AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon titl…
CVE-2021-47907 medium 6.4 6.4 28d ago Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attac…
CVE-2026-8244 medium 5.3 5.3 28d ago A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVe…
CVE-2026-8243 medium 5.3 5.3 29d ago A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to…
CVE-2026-8242 low 3.7 3.7 29d ago A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results…
CVE-2026-8241 medium 5.3 5.3 29d ago A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation lea…
CVE-2026-8235 medium 5.5 5.5 29d ago A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulatio…
CVE-2026-8233 medium 4.6 4.6 29d ago A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of com…
CVE-2026-8232 low 3.5 3.5 29d ago A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The ma…
CVE-2026-8231 medium 6.3 6.3 29d ago A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql inject…
CVE-2026-6104 critical 9.1 9.1 FIX slesdebian debianubuntu ubuntu php 29d ago PHP vulnerabilities
CVE-2026-7261 critical 9.8 9.8 FIX slesdebian debianwindows windows php 29d ago PHP vulnerabilities
CVE-2026-7259 medium 6.5 6.5 FIX slesdebian debianwindows windows php 29d ago PHP vulnerabilities
CVE-2026-6735 medium 6.1 6.1 FIX slesdebian debianwindows windows php 29d ago PHP vulnerabilities
CVE-2026-6722 critical 9.8 9.8 FIX slesdebian debianwindows windows php 29d ago PHP vulnerabilities
CVE-2025-14179 critical 9.8 9.8 FIX slesdebian debianwindows windows php 29d ago PHP vulnerabilities
CVE-2026-8221 low 2.4 2.4 29d ago A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible t…
CVE-2026-8220 low 2.4 2.4 29d ago A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack…
CVE-2026-8219 low 2.4 2.4 29d ago A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross sit…
CVE-2026-8218 low 2.4 2.4 29d ago A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cro…
CVE-2026-8217 medium 6.3 6.3 29d ago A security flaw has been discovered in Industrial Application Software IAS Canias ERP 8.03. Impacted is the function Runtime.getRuntime.exec of the component RMI Interface. Performing a manipulation …
CVE-2026-8215 medium 5.3 5.3 29d ago A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This vulnerability affects the function iasRequestFileEvent of the component RMI Interface. This manipulation of…
CVE-2026-8214 medium 5.3 5.3 29d ago A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results…
CVE-2026-8213 medium 5.5 5.5 FIX debian debian osgeo 29d ago A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manip…
CVE-2026-8212 medium 5.5 5.5 FIX debian debian osgeo 29d ago A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-bas…
CVE-2026-8211 medium 4.7 4.7 29d ago A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JS…
CVE-2026-45184 medium 6.5 6.5 FIX debian debian 29d ago Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
CVE-2026-45182 low 2.2 2.2 29d ago GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let syste…
CVE-2026-45181 medium 6.5 6.5 29d ago Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directory if the victim …
CVE-2026-8210 medium 5.3 5.3 29d ago A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update H…
CVE-2026-8196 low 3.7 3.7 29d ago A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginControlle…
CVE-2026-8195 medium 4.3 4.3 29d ago A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/C…
CVE-2026-8194 medium 4.3 4.3 29d ago A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argu…
CVE-2026-42576 medium 6.5 6.5 29d ago apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
CVE-2026-42571 critical 9.5 29d ago Pelican Web UI Affected by a Privilege Escalation Attack
CVE-2026-42333 medium 5.5 29d ago quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
CVE-2026-8193 medium 6.3 6.3 29d ago A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead …
CVE-2026-8198 medium 5.3 5.3 29d ago The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including…
CVE-2026-8185 medium 6.3 6.3 29d ago A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authe…
CVE-2026-32683 medium 5.3 5.3 1mo ago Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to…
CVE-2026-1749 medium 6.8 6.8 1mo ago There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
CVE-2026-42560 critical 9.1 9.1 1mo ago auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation
CVE-2026-42310 medium 5.5 5.5 FIX slesdebian debian python 1mo ago Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
CVE-2026-42308 medium 5.5 5.5 FIX slesdebian debian python 1mo ago Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer…
CVE-2025-15634 medium 4.3 4.3 hcltech 1mo ago A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized…
CVE-2025-15633 medium 6.5 6.5 hcltech 1mo ago An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables)…
CVE-2026-42295 medium 4.9 4.9 argoproj 1mo ago Argo vulnerable to exposure of artifact repository credentials
CVE-2026-42183 medium 6.5 6.5 argoproj 1mo ago Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
CVE-2026-41311 medium 6.5 6.5 liquidjs 1mo ago liquidjs has a Denial of Service via circular block reference in layout
CVE-2026-7652 medium 5.3 5.3 1mo ago The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due…
CVE-2026-6667 medium 4.3 4.3 FIX debian debianwindows windows pgbouncer 1mo ago PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization)…
CVE-2026-6665 critical 9.8 9.8 FIX debian debianwindows windows pgbouncer 1mo ago The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM se…
CVE-2026-44313 critical 9.1 9.1 1mo ago Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the f…
CVE-2026-45130 medium 5.5 5.5 FIX slesdebian debianwindows windows vim 1mo ago Vim vulnerabilities
CVE-2026-44987 low 3.8 3.8 1mo ago SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If th…
CVE-2026-44656 medium 5.3 5.3 FIX slesdebian debianwindows windows vim 1mo ago Vim vulnerabilities
CVE-2026-44284 medium 6.3 6.3 1mo ago FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected int…
CVE-2026-42556 critical 9.0 9.0 gitroom 1mo ago Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their ow…
CVE-2026-42456 medium 4.3 4.3 mintplexlabs 1mo ago AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLL…
CVE-2026-42454 critical 9.9 9.9 1mo ago Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate t…
CVE-2026-42451 medium 6.3 6.3 1mo ago Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary Java…
CVE-2026-42354 critical 9.8 9.8 sentry 1mo ago Sentry's improper authentication on SAML SSO process allows user identity linking
CVE-2026-42346 medium 6.5 6.5 1mo ago Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulner…
CVE-2026-42344 medium 6.3 6.3 1mo ago FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU — Tim…
CVE-2026-42307 medium 4.4 4.4 FIX debian debianubuntu ubuntu vim 1mo ago Vim vulnerabilities
CVE-2026-42302 critical 9.8 9.8 1mo ago FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The star…
CVE-2026-42298 critical 9.8 9.8 gitroom 1mo ago Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows a…
CVE-2026-42291 medium 6.8 6.8 1mo ago SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly au…
CVE-2026-41520 medium 4.4 4.4 cilium 1mo ago Cillium exposes sensitive information included in the cilium-bugtool debug archive
CVE-2026-37709 critical 9.8 9.8 snipeitapp 1mo ago Snipe-IT has insecure permissions in file uploads
CVE-2026-44831 medium 5.4 5.4 snipeitapp 1mo ago Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
CVE-2026-44298 medium 4.9 4.9 kimai 1mo ago Kimai has an arbitrary file read in its invoice PDF renderer (admin)
CVE-2026-42209 medium 6.5 6.5 1mo ago FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_mes…
CVE-2026-42199 medium 6.2 6.2 1mo ago Grid: Integer Overflow in Grid::expand_rows Leads to Safe-API Undefined Behavior
CVE-2026-42195 low 3.4 3.4 1mo ago draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAut…
CVE-2026-42193 critical 9.1 9.1 1mo ago Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verif…
CVE-2026-42192 medium 5.4 5.4 1mo ago Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email bo…
CVE-2026-44400 critical 9.8 9.8 mailenable 1mo ago MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing Authent…
CVE-2026-44211 critical 9.6 9.6 cline 1mo ago Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time o…
CVE-2026-44200 medium 6.5 6.5 torchbox 1mo ago Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of …
CVE-2026-44694 critical 9.1 9.1 n8n-mcp 1mo ago n8n-mcp webhook and API client paths has an authenticated SSRF
CVE-2026-42282 medium 4.3 4.3 n8n-mcp 1mo ago n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
CVE-2026-42190 medium 5.3 5.3 redwoodjs 1mo ago RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
CVE-2026-42185 medium 5.5 5.5 1mo ago People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted in…
CVE-2026-42181 medium 6.5 6.5 1mo ago Lemmy has SSRF and internal image disclosure in post link metadata via unvalidated og:image
CVE-2026-42180 medium 6.3 6.3 1mo ago Lemmy has SSRF in /api/v3/post via Webmention dispatch
CVE-2026-42176 medium 6.7 6.7 1mo ago Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer to…
CVE-2026-41495 medium 5.3 5.3 n8n-mcp 1mo ago n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
CVE-2026-44557 medium 4.3 4.3 openwebui 1mo ago Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
CVE-2026-44551 critical 9.1 9.1 openwebui 1mo ago Open WebUI has an LDAP Empty Password Authentication Bypass
CVE-2026-44737 medium 5.5 1mo ago Grav: Stored XSS via page title (data[header][title]) in admin panel
CVE-2026-41511 medium 5.5 5.5 openmcdf_projectopenmcdf 1mo ago OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory …
CVE-2026-42072 critical 9.8 9.8 1mo ago NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access
CVE-2026-42030 medium 6.1 6.1 FIX debian debian osgeo 1mo ago MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker t…
CVE-2026-42028 medium 5.3 5.3 1mo ago novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intend…
CVE-2026-41889 critical 9.8 9.8 debian debian sleswindows windows jackc 1mo ago pgx: SQL Injection via placeholder confusion with dollar quoted string literals
CVE-2026-38360 critical 9.8 9.8 1mo ago Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHan…