CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2025-14513 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a de... | 7.5 | HIGH | — | 0 |
| CVE-2026-0602 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose meta... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1069 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted ... | 7.5 | HIGH | — | 0 |
| CVE-2026-1090 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markd... | 8.7 | HIGH | — | 0 |
| CVE-2026-20117 A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attack... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-12555 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenti... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-67034 An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. Injec... | 8.8 | HIGH | — | 0 |
| CVE-2025-67035 An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An at... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-67036 An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. Due to a missing sanitization in the file name parameter, an authenti... | 8.8 | HIGH | — | 0 |
| CVE-2025-68623 In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privil... | 8.8 | HIGH | — | 0 |
| CVE-2025-70082 An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1471 Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restar... | N/A | NONE | — | 0 |
| CVE-2026-1524 An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or mor... | N/A | NONE | — | 0 |
| CVE-2026-20040 A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This... | 8.8 | HIGH | — | 0 |
| CVE-2026-20046 A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to elevate privileges and gain full administrative control of ... | 8.8 | HIGH | — | 0 |
| CVE-2026-20074 A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the IS-IS p... | 7.4 | HIGH | — | 0 |
| CVE-2026-31859 Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session.... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-31861 Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolat... | 8.8 | HIGH | — | 0 |
| CVE-2026-31862 Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolat... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-31867 Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows use... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-31868 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or conten... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-31870 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.),... | 7.5 | HIGH | — | 0 |
| CVE-2026-31871 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storag... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-31872 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypas... | 7.5 | HIGH | — | 0 |
| CVE-2019-25477 RAR Password Recovery 1.80 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the registration dialog. Attackers can cra... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25483 Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrictions by using the command substitution operator $(... | 8.4 | HIGH | — | 0 |
| CVE-2019-25484 WinMPG iPod Convert 3.0 contains a buffer overflow vulnerability in the Register dialog that allows local attackers to crash the application by supplying an oversized payload. Attackers can paste a la... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25485 R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. Attackers can inject a crafte... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25486 Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POS... | 8.2 | HIGH | — | 0 |
| CVE-2019-25487 SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endp... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-24509 Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerab... | 3.6 | LOW | — | 0 |
| CVE-2026-31876 Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twi... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-31895 WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_prod... | 8.8 | HIGH | — | 0 |
| CVE-2026-31896 WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract(... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-31900 Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-31901 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) r... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-31954 Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks. | 0.0 | NONE | — | 0 |
| CVE-2026-31957 Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentica... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-70041 An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-32098 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the ... | 7.5 | HIGH | — | 0 |
| CVE-2026-32234 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicio... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-3950 A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to ou... | 3.3 | LOW | — | 0 |
| CVE-2026-3951 A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. Affected is the function authIsAwesome of the file source-code/Locker-master/Ops/registry.js of the component Error Respo... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3954 A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the arg... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32109 Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html a... | 3.7 | LOW | — | 0 |
| CVE-2026-32110 SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accept... | 8.3 | HIGH | — | 0 |
| CVE-2026-32111 ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form (beta feature) accepts a user-supplied ha_url and makes a server-side HTTP request to {ha_url}/api/config with no U... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-32112 ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth ... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-32118 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32121 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. Tha... | 7.7 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.