CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-32455 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows DOM-Based XSS.This issue affects MD... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-27555 Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection par... | 6.5 | MEDIUM | β | 0 |
| CVE-2024-56208 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32460 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting I... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34281 Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker wit... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1461 The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin on... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2375 The App Builder β Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_rol... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25463 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpEstate Wpresidence Core wpresidence-core allows Stored XSS.This issue affects Wpresidence Core: ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25453 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdempfle Advanced iFrame advanced-iframe allows DOM-Based XSS.This issue affects Advanced iFrame: ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27094 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through <= 3.1.1... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34299 Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitab... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34300 Vulnerability in the PeopleSoft Enterprise FIN Contracts product of Oracle PeopleSoft (component: Contracts). The supported version that is affected is 9.2. Easily exploitable vulnerability allows l... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34301 Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitab... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34306 Vulnerability in the PeopleSoft Enterprise FIN Project Costing product of Oracle PeopleSoft (component: Projects). The supported version that is affected is 9.2. Easily exploitable vulnerability all... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23984 An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database co... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34315 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0.... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23983 A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25480 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separator... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32885 DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25612 The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this rep... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1602 SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-32223 Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23598 Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23597 Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25479 Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows re... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-62043 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25229 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labe... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3131 Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-40924 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27585 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path re... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-13587 The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login()... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-33130 IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27589 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint tha... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-6355 A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to un... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24434 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF... | 6.5 | MEDIUM | β | 0 |
| CVE-2024-31118 Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manage... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-67189 A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates m... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28104 Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a throu... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33611 An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-13867 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 throughΒ 11.5.9 andΒ 12.1.0 throughΒ 12.1.3Β could allow an authenticated user to cause a denial of service due to improper neutral... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27354 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Store... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14689 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special element... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24053 Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files ou... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-37115 GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive info... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-31192 Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-36018 IBM Concert 1.0.0 through 2.1.0 for Z hub componentΒ is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23799 Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25036 Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23546 Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-33124 IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to the incorrect calculation of a buffer size. | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.