CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-5572 A security flaw has been discovered in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack can b... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-22662 prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-contr... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6796 A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4118 The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33161 Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-35180 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploa... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-35411 Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup p... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24176 NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-0971 An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-31150 Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1924 The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6703 The Responsive Blocks β Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-35181 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is expl... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-20446 In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33884 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview tok... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-36422 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 IBM InfoSphere DataStage Flow Designer is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and un... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-28861 A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious web... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6294 The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() func... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-21783 HCL Traveler is affected by sensitive information disclosure.Β The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file n... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-41285 In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_op... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-9484 GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenti... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-32618 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-32619 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5878 Incorrect security UI in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 4.3 | MEDIUM | β | 0 |
| CVE-2025-40841 Ericsson Indoor Connect 8855 versions prior to 2025.Q3Β contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4330 The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to t... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-20719 Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6032 A vulnerability was found in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkcheckout.php. Performing a manipulation of the argument serviceId results in cr... | 4.3 | MEDIUM | β | 0 |
| CVE-2016-20054 Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administr... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4845 A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3568 The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/fl... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5705 A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such ma... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39627 Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5875 Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33527 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generate... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33326 Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm th... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33829 Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-20061 A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5377 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in publ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-41126 BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5615 A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argumen... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2403 CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettin... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5808 A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/clien... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39381 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that th... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4133 The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage(... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-40590 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a βCreate a new customerβ flow via POST /customers/ajax with action=create. Un... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5015 A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4138 The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2826 The Kadence Blocks β Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not pro... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4139 The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability chec... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.