CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-56605 A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echo... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27792 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and pri... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3761 A flaw has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /superadmin_user_delete.php of the component Endpoint. Executing a... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28218 Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL quer... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28556 wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28401 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in ... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-64999 Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3103 A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25073 XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary script content throu... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-66168 Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets.Β When this integer overflow occurs, ActiveMQ may incorrectl... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27742 Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforc... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2694 The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30224 OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27948 Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27578 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts in... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2732 The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2953 A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2957 A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the componen... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24350 PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-67491 OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 h... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23808 A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Succe... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-21866 Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Difyβs default Mermaid ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23809 A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual port... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3268 A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeC... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23858 Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with rem... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2804 Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27639 Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24351 PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visit... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-13734 IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28357 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rend... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26377 Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59540 Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27902 Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-29175 Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are ren... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33051 Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creatorβs fullName as raw HTML due to the use... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-65734 An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a c... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30927 Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTH... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-20166 In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "po... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33299 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in pa... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27250 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33305 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) al... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-1217 The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32840 Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the system_name_set.cgi script that allows attackers to inject arbitrary script code by manip... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33251 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27223 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable f... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33683 WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbit... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27254 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27224 Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable f... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-63260 SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-69237 Raytha CMS is vulnerable to Stored XSS viaΒ FieldValues[0].Value parameter in page creation functionality. Authenticated attacker with permissions to create content can inject arbitrary HTML and JS int... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.