CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-33456 Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via ... | 7.6 | HIGH | β | 0 |
| CVE-2026-33354 WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged uplo... | 7.6 | HIGH | β | 0 |
| CVE-2026-39497 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: fr... | 7.6 | HIGH | β | 0 |
| CVE-2026-32458 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 WOLF bulk-editor allows Blind SQL Injection.This issue affects WOLF: from n/a through <... | 7.6 | HIGH | β | 0 |
| CVE-2026-39487 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a ... | 7.6 | HIGH | β | 0 |
| CVE-2026-32308 OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via... | 7.6 | HIGH | β | 0 |
| CVE-2026-34529 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Brow... | 7.6 | HIGH | β | 0 |
| CVE-2026-32418 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.This issue affects Meow Gallery: f... | 7.6 | HIGH | β | 0 |
| CVE-2026-32117 The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / win... | 7.6 | HIGH | β | 0 |
| CVE-2025-14914 IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1Β could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading ... | 7.6 | HIGH | β | 0 |
| CVE-2026-26322 OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to... | 7.6 | HIGH | β | 0 |
| CVE-2025-70963 Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each userβs long-lived API key directly inside the rendered HTML/JavaScript of the page on every login.... | 7.6 | HIGH | β | 0 |
| CVE-2025-8589 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS.This issue... | 7.6 | HIGH | β | 0 |
| CVE-2025-7760 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HT... | 7.6 | HIGH | β | 0 |
| CVE-2026-27013 Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to app... | 7.6 | HIGH | β | 0 |
| CVE-2025-8461 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS.This issue affects syWEB: through 03022026.Β NOT... | 7.6 | HIGH | β | 0 |
| CVE-2026-26724 Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the... | 7.6 | HIGH | β | 0 |
| CVE-2025-8456 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected ... | 7.6 | HIGH | β | 0 |
| CVE-2025-53217 Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/... | 7.6 | HIGH | β | 0 |
| CVE-2026-3105 SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timel... | 7.6 | HIGH | β | 0 |
| CVE-2026-27487 OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into ... | 7.6 | HIGH | β | 0 |
| CVE-2026-22567 Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios. | 7.6 | HIGH | β | 0 |
| CVE-2025-52744 Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a throu... | 7.6 | HIGH | β | 0 |
| CVE-2025-27380 HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victimβs browser via crafted HTML con... | 7.6 | HIGH | β | 0 |
| CVE-2026-25802 New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRend... | 7.6 | HIGH | β | 0 |
| CVE-2026-33636 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and... | 7.6 | HIGH | β | 0 |
| CVE-2026-33718 OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The... | 7.6 | HIGH | β | 0 |
| CVE-2026-34366 InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnera... | 7.6 | HIGH | β | 0 |
| CVE-2026-34426 OpenClaw versions prior to commit b57b680Β contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to in... | 7.6 | HIGH | β | 0 |
| CVE-2026-29870 A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpoint_dir parameter in OfflineACE.run. The save_to_file method ... | 7.6 | HIGH | β | 0 |
| CVE-2026-23775 Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of... | 7.6 | HIGH | β | 0 |
| CVE-2026-32749 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart f... | 7.6 | HIGH | β | 0 |
| CVE-2026-33932 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document prev... | 7.6 | HIGH | β | 0 |
| CVE-2026-24750 Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, an authenticated attacker could exploit an Improper Neutralization of Input During Web Page Generation... | 7.6 | HIGH | β | 0 |
| CVE-2026-32728 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the fi... | 7.6 | HIGH | β | 0 |
| CVE-2026-1046 Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a userβs system via the user clicking on... | 7.6 | HIGH | β | 0 |
| CVE-2026-21367 Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans. | 7.6 | HIGH | β | 0 |
| CVE-2026-2476 Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported confi... | 7.6 | HIGH | β | 0 |
| CVE-2026-33918 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.... | 7.6 | HIGH | β | 0 |
| CVE-2026-28403 Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP... | 7.6 | HIGH | β | 0 |
| CVE-2026-25378 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection.This issue affects Nel... | 7.6 | HIGH | β | 0 |
| CVE-2026-26010 OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres... | 7.6 | HIGH | β | 0 |
| CVE-2025-64487 Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorizatio... | 7.6 | HIGH | β | 0 |
| CVE-2025-14343 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Comm... | 7.6 | HIGH | β | 0 |
| CVE-2026-2469 Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() functio... | 7.6 | HIGH | β | 0 |
| CVE-2025-69311 Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a thro... | 7.6 | HIGH | β | 0 |
| CVE-2026-23805 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yoren Chang Media Search Enhanced media-search-enhanced allows SQL Injection.This issue affects Me... | 7.6 | HIGH | β | 0 |
| CVE-2026-28136 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.1... | 7.6 | HIGH | β | 0 |
| CVE-2026-25116 Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote use... | 7.6 | HIGH | β | 0 |
| CVE-2026-32606 IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physic... | 7.6 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.