CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-24350 PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-11251 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection.This issue affec... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1434 Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker can craft a malicious URL that, when opened, causes arbitrary JavaScript to execute in the victim’s browser. This issue w... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-21660 Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, ex... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-21659 Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HD allow an unauthenticated attacker to exec... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1305 The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_perm... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-14142 The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to i... | 6.4 | MEDIUM | — | 0 |
| CVE-2024-10938 The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known ma... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2383 The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and ou... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2362 The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to,... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2252 An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affect... | 7.5 | HIGH | — | 0 |
| CVE-2026-2251 Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-21658 Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient vali... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-21657 Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-21656 Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-21654 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validat... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1627 An attacker may exploit the use of outdated and weak MAC algorithms in the device’s SSH service to potentially compromise the integrity of the SSH session, allowing manipulation of transmitted data if... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1626 An attacker may exploit the use of weak CBC-based cipher suites in the device’s SSH service to potentially observe or manipulate parts of the encrypted SSH communication, if they are able to intercept... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-12150 A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via su... | 3.1 | LOW | — | 0 |
| CVE-2026-27776 IM-LogicDesigner module of intra-mart Accel Platform contains insecure deserialization issue. This can be exploited only when IM-LogicDesigner is deployed on the system. Arbitrary code may be executed... | 8.8 | HIGH | — | 0 |
| CVE-2026-0980 A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit t... | 8.3 | HIGH | — | 0 |
| CVE-2026-0871 A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. ... | 4.9 | MEDIUM | — | 0 |
| CVE-2025-9909 A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//)... | 6.7 | MEDIUM | — | 0 |
| CVE-2025-9908 A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructu... | 6.7 | MEDIUM | — | 0 |
| CVE-2025-9907 A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure... | 6.7 | MEDIUM | — | 0 |
| CVE-2025-9572 n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the Graph... | 5.0 | MEDIUM | — | 0 |
| CVE-2025-13327 A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that e... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-3302 A weakness has been identified in SourceCodester Doctor Appointment System 1.0. Affected by this issue is some unknown functionality of the file /register.php of the component Sign Up Page. Executing ... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-15567 Insufficient protection mechanisms in the Health Module may lead to partial information disclosure. | 3.3 | LOW | — | 0 |
| CVE-2025-15509 The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage. | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14149 The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and incl... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-14040 The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. Thi... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-12981 The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user regi... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3301 A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Managemen... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3293 A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanne... | 3.3 | LOW | — | 0 |
| CVE-2026-28372 telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40... | 7.4 | HIGH | — | 0 |
| CVE-2026-27653 The installers for multiple products provided by Soliton Systems K.K. contain an issue with incorrect default permissions, which may allow arbitrary code to be executed with SYSTEM privileges. | 6.7 | MEDIUM | — | 0 |
| CVE-2026-3292 A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argume... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-3289 A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a m... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-3287 A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuCont... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-28370 In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitr... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-1558 The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integratio... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1442 Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an ... | 7.8 | HIGH | — | 0 |
| CVE-2026-3286 A vulnerability was identified in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3. The impacted element is the function Save of the file paicoding-web/src/main/java/com/github/paicoding/forum/web/common/im... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-2428 The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Insta... | 7.5 | HIGH | — | 0 |
| CVE-2026-28364 In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems ... | 7.9 | HIGH | — | 0 |
| CVE-2026-28363 In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free executio... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-3285 A vulnerability was determined in berry-lang berry up to 1.1.0. The affected element is the function scan_string of the file src/be_lexer.c. This manipulation causes out-of-bounds read. The attack req... | 3.3 | LOW | — | 0 |
| CVE-2026-3284 A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_area results in integer... | 3.3 | LOW | — | 0 |
| CVE-2026-3283 A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads ... | 3.3 | LOW | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.