CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-29055 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5023 A vulnerability has been found in DeDeveloper23 codebase-mcp up to 3ec749d237dd8eabbeef48657cf917275792fde6. This vulnerability affects the function getCodebase/getRemoteCodebase/saveCodebase of the f... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-6410 @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34518 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but ret... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1890 The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data | 5.3 | MEDIUM | — | 0 |
| CVE-2016-20051 Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-29141 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge tags such as [signed OK]. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-29140 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to cause attacker-controlled certificates to be used for future encryption to a victim by adding the certificates to S/MIME signa... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34519 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject ex... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34525 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4997 A security flaw has been discovered in Sinaptik AI PandasAI up to 3.0.0. This affects the function is_sql_query_safe of the file pandasai/helpers/sql_sanitizer.py. Performing a manipulation results in... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34736 Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verifica... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5998 A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This mani... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-35626 OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4664 The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` f... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33936 The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signatur... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-31924 Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users a... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-35640 OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28839 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5234 The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39563 Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a thr... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39561 Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39605 Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39543 Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.21.4. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33429 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27859 A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU t... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39528 Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a thr... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5125 A vulnerability was detected in raine consult-llm-mcp up to 2.5.3. Affected by this vulnerability is the function child_process.execSync of the file src/server.ts. The manipulation of the argument git... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39606 Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39608 Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways W... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-31381 An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL. | 5.3 | MEDIUM | — | 0 |
| CVE-2024-53828 Ericsson Packet Core Controller (PCC) versions prior to 1.38 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39663 Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: f... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33672 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the obje... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39669 Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39673 Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34363 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class vi... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-6160 A vulnerability was found in code-projects Simple ChatBox 1.0. Affected by this issue is the function SimpleChatbox_PHP of the file chatbox.sql of the component Endpoint. Performing a manipulation res... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33545 MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to cons... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33688 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks be... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34073 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child cert... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4532 A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the comp... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39691 Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box – Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Securi... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39715 Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affec... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2442 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2343 The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably makin... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-29144 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge security tags using Unicode lookalike characters. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-34230 Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the head... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5003 A vulnerability was found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This affects the function handle_index of the file rag_system/api_server.py of the component Web Int... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-40100 FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() on... | 5.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.