CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2021-47742 Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage t... | 8.8 | HIGH | β | 0 |
| CVE-2025-69294 Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. | 8.8 | HIGH | β | 0 |
| CVE-2026-21537 Improper control of generation of code ('code injection') in Microsoft Defender for Linux allows an unauthorized attacker to execute code over an adjacent network. | 8.8 | HIGH | β | 0 |
| CVE-2026-28774 An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interfa... | 8.8 | HIGH | β | 0 |
| CVE-2026-28773 The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteΒ Receiver Web Management Interface version 101 is vulnerable to... | 8.8 | HIGH | β | 0 |
| CVE-2026-28770 Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface v... | 8.8 | HIGH | β | 0 |
| CVE-2026-26065 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 20... | 8.8 | HIGH | β | 0 |
| CVE-2026-26990 LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address p... | 8.8 | HIGH | β | 0 |
| CVE-2026-21516 Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network. | 8.8 | HIGH | β | 0 |
| CVE-2026-26064 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes a... | 8.8 | HIGH | β | 0 |
| CVE-2025-15158 The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0.... | 8.8 | HIGH | β | 0 |
| CVE-2019-25318 AVS Audio Converter 9.1.2.600 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by manipulating the output folder text input. Attackers can craft a malicious payl... | 8.8 | HIGH | β | 0 |
| CVE-2025-15389 VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 8.8 | HIGH | β | 0 |
| CVE-2025-15388 VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 8.8 | HIGH | β | 0 |
| CVE-2025-15387 VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subseq... | 8.8 | HIGH | β | 0 |
| CVE-2025-15460 A vulnerability was detected in UTT θΏε 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formPptpClientConfig. Performing a manipulation of the argument EncryptionMode results in... | 8.8 | HIGH | β | 0 |
| CVE-2026-26746 OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type... | 8.8 | HIGH | β | 0 |
| CVE-2026-30875 Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote C... | 8.8 | HIGH | β | 0 |
| CVE-2026-4442 Heap buffer overflow in CSS in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-26323 OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintai... | 8.8 | HIGH | β | 0 |
| CVE-2026-24356 Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0. | 8.8 | HIGH | β | 0 |
| CVE-2025-68454 Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For... | 8.8 | HIGH | β | 0 |
| CVE-2025-13943 A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions throughΒ 5.50(ABVY.7)C0 could allow an authenticated attacker to execute... | 8.8 | HIGH | β | 0 |
| CVE-2026-24854 ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one... | 8.8 | HIGH | β | 0 |
| CVE-2026-3539 Object lifecycle issue in DevTools in Google Chrome prior to 145.0.7632.159 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a craft... | 8.8 | HIGH | β | 0 |
| CVE-2026-32355 Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1. | 8.8 | HIGH | β | 0 |
| CVE-2025-64424 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in... | 8.8 | HIGH | β | 0 |
| CVE-2025-69215 OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publica... | 8.8 | HIGH | β | 0 |
| CVE-2026-32060 OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch i... | 8.8 | HIGH | β | 0 |
| CVE-2026-2911 A vulnerability has been found in Tenda FH451 up to 1.0.0.9. This issue affects some unknown processing of the file /goform/GstDhcpSetSer. The manipulation leads to buffer overflow. It is possible to ... | 8.8 | HIGH | β | 0 |
| CVE-2025-14866 The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary... | 8.8 | HIGH | β | 0 |
| CVE-2026-26318 systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes... | 8.8 | HIGH | β | 0 |
| CVE-2026-28519 arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can sen... | 8.8 | HIGH | β | 0 |
| CVE-2026-4490 A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. This manipulation causes stack-based buffer overflow. Remote exploit... | 8.8 | HIGH | β | 0 |
| CVE-2025-59156 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's a... | 8.8 | HIGH | β | 0 |
| CVE-2025-15347 The Creator LMS β The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability ... | 8.8 | HIGH | β | 0 |
| CVE-2026-26975 Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute... | 8.8 | HIGH | β | 0 |
| CVE-2026-2070 A vulnerability has been found in UTT θΏε 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/formPolicyRouteConf. Such manipulation of the argument GroupName leads to bu... | 8.8 | HIGH | β | 0 |
| CVE-2026-23622 Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST meth... | 8.8 | HIGH | β | 0 |
| CVE-2026-28399 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This iss... | 8.8 | HIGH | β | 0 |
| CVE-2025-67077 File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action. | 8.8 | HIGH | β | 0 |
| CVE-2025-55204 muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a ... | 8.8 | HIGH | β | 0 |
| CVE-2025-69264 pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scrip... | 8.8 | HIGH | β | 0 |
| CVE-2026-2884 A vulnerability was identified in D-Link DWR-M960 1.01.07. The affected element is the function sub_41914C of the file /boafrm/formWanConfigSetup of the component WAN Interface Setting Handler. The ma... | 8.8 | HIGH | β | 0 |
| CVE-2021-47758 Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Au... | 8.8 | HIGH | β | 0 |
| CVE-2025-15157 The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check... | 8.8 | HIGH | β | 0 |
| CVE-2021-47852 Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the Rocks... | 8.8 | HIGH | β | 0 |
| CVE-2022-50804 JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to perform administrative actions on behalf of authenticated users without their know... | 8.8 | HIGH | β | 0 |
| CVE-2026-20963 Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 8.8 | HIGH | KEV | 0 |
| CVE-2026-3334 The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is ... | 8.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.