CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2026-28367 A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such... | 8.7 | HIGH | — | 0 |
| CVE-2025-15616 Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through va... | 6.7 | MEDIUM | — | 0 |
| CVE-2025-15615 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cau... | 5.8 | MEDIUM | — | 0 |
| CVE-2025-15381 In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including... | N/A | NONE | — | 0 |
| CVE-2026-4959 A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Perfor... | 7.3 | HIGH | — | 0 |
| CVE-2026-4958 A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the comp... | 3.1 | LOW | — | 0 |
| CVE-2026-32984 Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulner... | 3.5 | LOW | — | 0 |
| CVE-2026-32983 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cau... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-30534 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter. | 8.3 | HIGH | — | 0 |
| CVE-2026-30533 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30532 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30531 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user... | 8.8 | HIGH | — | 0 |
| CVE-2026-30530 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30529 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user inp... | 8.8 | HIGH | — | 0 |
| CVE-2026-30527 A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-30302 The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect us... | 10.0 | CRITICAL | — | 0 |
| CVE-2023-7340 Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulner... | 3.5 | LOW | — | 0 |
| CVE-2026-5027 The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path trave... | 8.8 | HIGH | — | 0 |
| CVE-2026-5026 The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an ... | N/A | NONE | — | 0 |
| CVE-2026-5025 The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-5022 The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by kno... | N/A | NONE | — | 0 |
| CVE-2026-5010 A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicio... | N/A | NONE | — | 0 |
| CVE-2026-4984 The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' paramete... | 8.2 | HIGH | — | 0 |
| CVE-2026-4980 A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:includ... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4957 A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manip... | 2.7 | LOW | — | 0 |
| CVE-2026-4956 A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter H... | 7.3 | HIGH | — | 0 |
| CVE-2026-4955 A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results i... | 7.3 | HIGH | — | 0 |
| CVE-2026-4954 A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endp... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4953 A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing ... | 7.3 | HIGH | — | 0 |
| CVE-2026-33766 WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follow... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33764 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` pa... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33763 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given passw... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33761 WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33759 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any au... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33758 OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=dir... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-33757 OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` s... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-33755 Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/qu... | 8.8 | HIGH | — | 0 |
| CVE-2026-33750 The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33748 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir compo... | N/A | NONE | — | 0 |
| CVE-2026-33433 Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` inste... | 8.8 | HIGH | — | 0 |
| CVE-2026-33284 GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33206 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Mar... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-33205 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoin... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-30689 A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator ... | 7.5 | HIGH | — | 0 |
| CVE-2026-30637 Server-Side Request Forgery (SSRF) vulnerability exists in the AnnounContent of the /admin/read.php in OTCMS V7.66 and before. The vulnerability allows remote attackers to craft HTTP requests, without... | 7.5 | HIGH | — | 0 |
| CVE-2026-30407 Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | N/A | NONE | — | 0 |
| CVE-2026-30304 In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by th... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-30303 The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29871 A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19) in the Beifong AI News and Podcast Agent backend in FastAPI backen... | 7.5 | HIGH | — | 0 |
| CVE-2026-28375 A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | 6.5 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.