CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-6355 A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to un... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24900 MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25480 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separator... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25479 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows re... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22009 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulne... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32885 DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/a... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-40199 Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25846 In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22922 Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log ... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-69011 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30811 Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800 | 6.5 | MEDIUM | — | 0 |
| CVE-2020-37115 GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive info... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-6764 Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-6770 Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-39651 Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a th... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32448 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress allows Stored XSS.T... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20404 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32449 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Event Post themify-event-post allows Stored XSS.This issue affects Themify Event... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25631 n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send request... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25540 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FET... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-42412 Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30452 Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-41312 pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27925 Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to disclose information over an adjacent network. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34266 Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vuln... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24418 OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk op... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24417 OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the gl... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24416 OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the ar... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-69216 OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-67189 A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates m... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-41320 Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, all... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23633 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23632 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33750 The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22592 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24666 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24953 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File L... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24668 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add conte... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24670 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create ne... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32958 SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24434 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34839 Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cro... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29647 In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabli... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-68050 Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-68026 Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34939 PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32960 SD-330AC and AMC Manager provided by silex technology, Inc. contain an issue with a sensitive information in resource not removed before reuse. An attacker may login to the device without knowing the... | 6.5 | MEDIUM | — | 0 |
| CVE-2022-50980 A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33782 A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33781 An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated,... | 6.5 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.