CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-5998 A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This mani... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5170 A user with access to the cluster with a limited set of privilege actions can trigger a crash of aΒ mongod process during the limited and unpredictable window when the cluster is being promoted from a ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-29909 MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-20692 A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3595 The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-24468 OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27859 A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU t... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40763 Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33759 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any au... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33761 WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34364 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39637 Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mogi: from n/a through <= 1.2.3. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33737 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be r... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39715 Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affec... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39691 Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box β Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Securi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-28839 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-30878 baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accep... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5186 A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35654 OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender al... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-29142 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5414 A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argum... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-28818 A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35544 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4751 NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmate: before 2.4.0. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4997 A security flaw has been discovered in Sinaptik AI PandasAI up to 3.0.0. This affects the function is_sql_query_safe of the file pandasai/helpers/sql_sanitizer.py. Performing a manipulation results in... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-31950 LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34369 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2343 The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably makin... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35626 OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5833 A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Ide... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-6494 A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the `toolsetroute` parameter. This parameter ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-20113 A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return li... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33672 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the obje... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-29055 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5427 The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3210 Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34999 OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionalit... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5886 Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39563 Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a thr... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39605 Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5235 A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation c... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13997 The King Addons for Elementor β 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5236 A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_BitReader::SkipBits of the file Ap4Dac4Atom.cpp of the component DSI v1 Parser. Such manipulation of th... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34443 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask() in app/Misc/Helper.php checks whether the input IP contains a / character. ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34510 OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit th... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33429 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34073 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child cert... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4281 The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connec... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33688 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks be... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33169 Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to ins... | 5.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.