CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-20963 Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 8.8 | HIGH | KEV | 0 |
| CVE-2026-24412 iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXm... | 8.8 | HIGH | β | 0 |
| CVE-2025-9222 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve sto... | 8.7 | HIGH | β | 0 |
| CVE-2026-1090 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markd... | 8.7 | HIGH | β | 0 |
| CVE-2025-66824 A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via t... | 8.7 | HIGH | β | 0 |
| CVE-2026-21290 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-pr... | 8.7 | HIGH | β | 0 |
| CVE-2026-2101 A Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAvpm Web Access from ENOVIAvpm Version 1 Release 16 through ENOVIAvpm Version 1 Release 19 allows an attacker to execute arbitrary s... | 8.7 | HIGH | β | 0 |
| CVE-2026-28426 Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with ... | 8.7 | HIGH | β | 0 |
| CVE-2026-32627 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirec... | 8.7 | HIGH | β | 0 |
| CVE-2025-69437 PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF fi... | 8.7 | HIGH | β | 0 |
| CVE-2026-32277 Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1... | 8.7 | HIGH | β | 0 |
| CVE-2026-33226 Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) make... | 8.7 | HIGH | β | 0 |
| CVE-2026-33172 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset uplo... | 8.7 | HIGH | β | 0 |
| CVE-2026-28274 Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user ... | 8.7 | HIGH | β | 0 |
| CVE-2025-6967 Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.Thi... | 8.7 | HIGH | β | 0 |
| CVE-2026-0695 In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, thi... | 8.7 | HIGH | β | 0 |
| CVE-2026-23625 OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProjectβs road... | 8.7 | HIGH | β | 0 |
| CVE-2026-4601 Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can reco... | 8.7 | HIGH | β | 0 |
| CVE-2026-24665 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 8.7 | HIGH | β | 0 |
| CVE-2025-69231 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assess... | 8.7 | HIGH | β | 0 |
| CVE-2026-28683 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they c... | 8.7 | HIGH | β | 0 |
| CVE-2026-22867 LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user crea... | 8.7 | HIGH | β | 0 |
| CVE-2026-33346 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payme... | 8.7 | HIGH | β | 0 |
| CVE-2026-25648 Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by u... | 8.7 | HIGH | β | 0 |
| CVE-2025-63611 Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the a... | 8.7 | HIGH | β | 0 |
| CVE-2026-26022 Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's ... | 8.7 | HIGH | β | 0 |
| CVE-2026-23953 Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the βincusβ group... | 8.7 | HIGH | β | 0 |
| CVE-2026-23954 Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the βincusβ group) to use di... | 8.7 | HIGH | β | 0 |
| CVE-2025-67905 Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate... | 8.7 | HIGH | β | 0 |
| CVE-2026-25759 Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permis... | 8.7 | HIGH | β | 0 |
| CVE-2025-64091 This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. | 8.6 | HIGH | β | 0 |
| CVE-2026-0007 In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no add... | 8.6 | HIGH | β | 0 |
| CVE-2025-68901 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal.This issue affects Anona: from n/a through <= 8.0. | 8.6 | HIGH | β | 0 |
| CVE-2026-0719 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an inte... | 8.6 | HIGH | β | 0 |
| CVE-2026-21333 Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. Exploitati... | 8.6 | HIGH | β | 0 |
| CVE-2025-68665 LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerab... | 8.6 | HIGH | β | 0 |
| CVE-2025-4686 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assess... | 8.6 | HIGH | β | 0 |
| CVE-2026-20101 A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload... | 8.6 | HIGH | β | 0 |
| CVE-2025-7631 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. C... | 8.6 | HIGH | β | 0 |
| CVE-2025-68044 Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affect... | 8.6 | HIGH | β | 0 |
| CVE-2025-68912 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal.This issue affects HDForms: from n/a through <= 1.... | 8.6 | HIGH | β | 0 |
| CVE-2026-28500 Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improp... | 8.6 | HIGH | β | 0 |
| CVE-2025-61732 A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | 8.6 | HIGH | β | 0 |
| CVE-2026-22729 A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-control... | 8.6 | HIGH | β | 0 |
| CVE-2025-57793 Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as... | 8.6 | HIGH | β | 0 |
| CVE-2026-21967 Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.... | 8.6 | HIGH | β | 0 |
| CVE-2026-20103 A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthen... | 8.6 | HIGH | β | 0 |
| CVE-2026-23512 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe wit... | 8.6 | HIGH | β | 0 |
| CVE-2026-33719 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication... | 8.6 | HIGH | β | 0 |
| CVE-2025-67963 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal.This issue affects Movie Booking: from n/a th... | 8.6 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.