CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2026-35092 A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) pack... | 7.5 | HIGH | — | 0 |
| CVE-2025-15285 The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() ... | 7.5 | HIGH | — | 0 |
| CVE-2025-59032 ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to... | 7.5 | HIGH | — | 0 |
| CVE-2026-32295 JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials. | 7.5 | HIGH | — | 0 |
| CVE-2026-39859 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), ... | 7.5 | HIGH | — | 0 |
| CVE-2026-28377 A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace d... | 7.5 | HIGH | — | 0 |
| CVE-2026-39889 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function ... | 7.5 | HIGH | — | 0 |
| CVE-2019-25613 Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Attackers can establish a sess... | 7.5 | HIGH | — | 0 |
| CVE-2026-32364 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue... | 7.5 | HIGH | — | 0 |
| CVE-2026-32369 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This is... | 7.5 | HIGH | — | 0 |
| CVE-2026-25401 Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n... | 7.5 | HIGH | — | 0 |
| CVE-2025-12664 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause den... | 7.5 | HIGH | — | 0 |
| CVE-2026-35526 Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allo... | 7.5 | HIGH | — | 0 |
| CVE-2026-39312 SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.... | 7.5 | HIGH | — | 0 |
| CVE-2026-32981 A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file... | 7.5 | HIGH | — | 0 |
| CVE-2026-30795 Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing At... | 7.5 | HIGH | — | 0 |
| CVE-2026-23674 Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. | 7.5 | HIGH | — | 0 |
| CVE-2026-32287 Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()". | 7.5 | HIGH | — | 0 |
| CVE-2026-2580 The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up t... | 7.5 | HIGH | — | 0 |
| CVE-2026-31932 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 an... | 7.5 | HIGH | — | 0 |
| CVE-2019-25579 phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to th... | 7.5 | HIGH | — | 0 |
| CVE-2026-35485 text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_grammar() allows reading any file on the ... | 7.5 | HIGH | — | 0 |
| CVE-2026-31933 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been pat... | 7.5 | HIGH | — | 0 |
| CVE-2026-0692 The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's... | 7.5 | HIGH | — | 0 |
| CVE-2026-29112 DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `height` attributes from the input SVG to ... | 7.5 | HIGH | — | 0 |
| CVE-2026-33891 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library ... | 7.5 | HIGH | — | 0 |
| CVE-2026-35464 pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options... | 7.5 | HIGH | — | 0 |
| CVE-2026-32596 Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensit... | 7.5 | HIGH | — | 0 |
| CVE-2026-32666 WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with netwo... | 7.5 | HIGH | — | 0 |
| CVE-2026-30364 CentSDR commit e40795 was discovered to contain a stack overflow in the "Thread1" function. | 7.5 | HIGH | — | 0 |
| CVE-2026-32969 An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL... | 7.5 | HIGH | — | 0 |
| CVE-2026-27135 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_sessio... | 7.5 | HIGH | — | 0 |
| CVE-2013-20006 Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users.... | 7.5 | HIGH | — | 0 |
| CVE-2026-6067 A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a... | 7.5 | HIGH | — | 0 |
| CVE-2025-66363 An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages. | 7.5 | HIGH | — | 0 |
| CVE-2025-62817 An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, and 2500. A NULL pointer dereference of session->ncp_hdr_buf in __pilot_parsing_ncp() causes a denial of ... | 7.5 | HIGH | — | 0 |
| CVE-2024-55027 Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db. | 7.5 | HIGH | — | 0 |
| CVE-2025-62188 An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, includ... | 7.5 | HIGH | — | 0 |
| CVE-2018-25169 AMPPS 2.7 contains a denial of service vulnerability that allows remote attackers to crash the service by sending malformed data to the default HTTP port. Attackers can establish multiple socket conne... | 7.5 | HIGH | — | 0 |
| CVE-2026-33427 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display... | 7.5 | HIGH | — | 0 |
| CVE-2026-29856 An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input. | 7.5 | HIGH | — | 0 |
| CVE-2026-29858 A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure. | 7.5 | HIGH | — | 0 |
| CVE-2026-32314 Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN... | 7.5 | HIGH | — | 0 |
| CVE-2025-66687 Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file path validation during the extraction of game files | 7.5 | HIGH | — | 0 |
| CVE-2026-35185 HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication toke... | 7.5 | HIGH | — | 0 |
| CVE-2026-31964 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. Whi... | 7.5 | HIGH | — | 0 |
| CVE-2026-32886 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling... | 7.5 | HIGH | — | 0 |
| CVE-2026-32299 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the p... | 7.5 | HIGH | — | 0 |
| CVE-2026-4247 When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks th... | 7.5 | HIGH | — | 0 |
| CVE-2026-35036 Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is le... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.