CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-23840 Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-32913 OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redi... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-27413 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-21264 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-22484 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69970 FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with aut... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-32940 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist โ it blocks data:text/html and data:image/svg+xml in href attributes but misses d... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-23841 Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-33134 WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability a... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-33135 WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbit... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-32754 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-33875 Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-33136 WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can inj... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-32058 The Infotainment ECU manufactured by Bosch uses a RH850 module for CAN communication. RH850 is connected to infotainment over the INC interface through a custom protocol. There is a vulnerability duri... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69366 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Emerce Core emerce-core allows Blind SQL Injection.This issue affects Emerce Core: fr... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69365 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Uroan Core uroan-core allows Blind SQL Injection.This issue affects Uroan Core: from ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69337 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.This issue affects Wolmart Core: f... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-24834 Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with C... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-27593 Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-30562 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_stock.php file via the "msg" parameter. The applic... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-20688 A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69310 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Woodly Core woodly-core allows Blind SQL Injection.This issue affects Woodly Core: fr... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69309 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.This issue affects Saasplate... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69308 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Nestbyte Core nestbyte-core allows Blind SQL Injection.This issue affects Nestbyte Co... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69307 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Medinik Core medinik-core allows Blind SQL Injection.This issue affects Medinik Core:... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-27614 Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payloa... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-28827 A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able t... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69306 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Electio Core electio-core allows Blind SQL Injection.This issue affects Electio Core:... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69305 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69304 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.This issue affects Allmart: from n/a ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-34361 HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" en... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-32303 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-69295 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Coven Core coven-core allows Blind SQL Injection.This issue affects Coven Core: from ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-32301 Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-20407 In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-33502 WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to mak... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-24956 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issu... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-32096 Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-68034 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReachยฎ CleverReachยฎ WP cleverreach-wp allows SQL Injection.This issue affects CleverReachยฎ W... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-68857 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection.This issue affects Paid Downloa... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-30869 SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By expl... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-29191 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-29183 SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when typ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-28680 Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sens... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-24399 ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <ifr... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-32539 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects Publ... | 9.3 | CRITICAL | โ | 0 |
| CVE-2025-70948 A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header. | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-25921 Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously o... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-28115 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSyste... | 9.3 | CRITICAL | โ | 0 |
| CVE-2026-24993 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statist... | 9.3 | CRITICAL | โ | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.