CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-34777 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointe... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39695 Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33051 Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creatorβs fullName as raw HTML due to the use... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31153 A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-1794 The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and outp... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33410 Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39346 OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded reques... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27252 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-15051 IBM QRadar SIEMΒ 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3466 Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0 allows an attacke... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28397 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14778 A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with ... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-67491 OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 h... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27237 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31832 Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign doma... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27898 Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another userβs cipher_id an... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-1337 Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. Ther... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25422 Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3103 A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-70060 An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27230 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26997 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-31876 Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27229 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable f... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25574 Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences intern... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-64999 Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27248 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-64166 Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type heade... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25500 Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-21292 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-pr... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-29175 Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are ren... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27948 Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30964 web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allow... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27231 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable f... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27233 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27232 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26270 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allow... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27228 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59903 Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25473 Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WZone: from n/a through <= 14.0.31. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59904 Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and execut... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32095 Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25388 Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through <= 5.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26059 ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would exec... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23619 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$Conte... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32118 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26952 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26953 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27147 GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload funct... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-13734 IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions. | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.