CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-32351 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcastin... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-33319 WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upl... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32017 OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins policy that allows attackers to write arbitrary files using short-option payloads. Attackers can byp... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-31875 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled fo... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-33129 H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==)... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28044 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-3579 wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operan... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32235 Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Insta... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-22737 Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations f... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32935 phpseclib is a PHP secure communications library. Projects using versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when usin... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-1867 The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an adminis... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-3260 A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes paramete... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-2399 Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric CNC M800V Series M800VW and M800VS, M80V Series M80V and M80VW, M800 Series M800W and M800S, M... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-33424 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lo... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-4603 Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.j... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32039 OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identif... | 5.9 | MEDIUM | — | 0 |
| CVE-2024-35644 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Langu... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27752 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe netwo... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-29613 OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without vali... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28464 OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network ac... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-29076 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipa... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28465 OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untruste... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27801 Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protecte... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-59873 An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query para... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25966 ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard st... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27729 Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-30247 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Serve... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-22715 VMWare Workstation and Fusion contain a logic flaw in the management of network packets. Known attack vectors: A malicious actor with administrative privileges on a Guest VM may be able to interrupt... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-36363 IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-30850 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadat... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-30856 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injectio... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28545 Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-3337 Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27629 InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27477 Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28208 Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27138 Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either dir... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-14456 IBM MQ Appliance 9.4 CD through 9.4.4.0 to 9.4.4.1 | 5.9 | MEDIUM | — | 0 |
| CVE-2026-20018 A vulnerability in the sftunnel functionality of Cisco Secure Firewall Management Center (FMC) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote att... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28538 Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27571 NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compr... | 5.9 | MEDIUM | — | 0 |
| CVE-2025-13490 IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28546 Buffer overflow vulnerability in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28269 Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file l... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-20068 Multiple Cisco products are affected by a vulnerability in the Snort 3 detection engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-20065 Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting... | 5.8 | MEDIUM | — | 0 |
| CVE-2025-68515 Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-20058 Multiple Cisco products are affected by vulnerabilities in the Snort 3 VBA feature that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to crash. These vulnera... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-20006 A vulnerability in the TLS cryptography functionality of the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause th... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-20007 A vulnerability in the Snort 2 and Snort 3 deep packet inspection of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Snort rule... | 5.8 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.