CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2026-29049 melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP c... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-29058 AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Ur... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29065 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path ... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-29068 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain mo... | 7.5 | HIGH | — | 0 |
| CVE-2026-29062 jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser... | 7.5 | HIGH | — | 0 |
| CVE-2026-29073 SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even rea... | 8.8 | HIGH | — | 0 |
| CVE-2026-25180 Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to disclose information locally. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25181 Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network. | 7.5 | HIGH | — | 0 |
| CVE-2018-25199 OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inj... | 8.2 | HIGH | — | 0 |
| CVE-2018-25200 OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can sub... | 5.3 | MEDIUM | — | 0 |
| CVE-2022-4947 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-32111. Reason: This candidate is a reservation duplicate of CVE-2024-32111. Notes: All CVE users should reference C... | N/A | NONE | — | 0 |
| CVE-2026-1799 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate has been determined not to be a valid vulnerability. Notes: All references and descriptions in this candidate hav... | N/A | NONE | — | 0 |
| CVE-2026-26051 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can con... | 9.4 | CRITICAL | — | 0 |
| CVE-2026-2752 Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2753 An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can... | 7.5 | HIGH | — | 0 |
| CVE-2026-2754 Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute... | 7.5 | HIGH | — | 0 |
| CVE-2026-20748 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predic... | 7.3 | HIGH | — | 0 |
| CVE-2026-29091 Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specific... | 8.1 | HIGH | — | 0 |
| CVE-2026-29110 Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information ab... | 2.2 | LOW | — | 0 |
| CVE-2026-30831 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Ro... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30833 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-29791 Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI re... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-29795 stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::from_str does not validate that the input length is within the decla... | 4.0 | MEDIUM | — | 0 |
| CVE-2026-30223 OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "a... | 8.8 | HIGH | — | 0 |
| CVE-2026-30224 OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-30225 OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenti... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30227 MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30247 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Serve... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-30823 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature byp... | N/A | NONE | — | 0 |
| CVE-2026-30824 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authenticati... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30825 hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providin... | 0.0 | NONE | — | 0 |
| CVE-2026-30827 express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit... | 7.5 | HIGH | — | 0 |
| CVE-2026-30828 Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.... | 7.5 | HIGH | — | 0 |
| CVE-2026-30829 Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, a... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30830 Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. A... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29067 ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwa... | 8.1 | HIGH | — | 0 |
| CVE-2026-29186 Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdo... | 7.7 | HIGH | — | 0 |
| CVE-2026-29191 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-29192 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Defaul... | 7.7 | HIGH | — | 0 |
| CVE-2026-29193 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-reg... | 8.2 | HIGH | — | 0 |
| CVE-2026-3663 A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_documen... | 3.3 | LOW | — | 0 |
| CVE-2026-29195 Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role d... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29196 Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/ext... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-30848 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerab... | 3.7 | LOW | — | 0 |
| CVE-2026-30850 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadat... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-30851 Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injec... | 8.1 | HIGH | — | 0 |
| CVE-2026-30909 Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows. bin2hex, encrypt, aes256gcm_encrypt_afternm and seal functions do not check that output size will be less than SIZ... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-70042 An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3705 A vulnerability was found in code-projects Simple Flight Ticket Booking System 1.0. This issue affects some unknown processing of the file /Adminsearch.php. The manipulation of the argument flightno r... | 7.3 | HIGH | — | 0 |
| CVE-2025-70046 An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master. | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.