CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-27747 The SPIP interface_traduction_objets plugin versions prior toΒ 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation request... | 8.8 | HIGH | β | 0 |
| CVE-2026-27746 The SPIP jeux plugin versions prior toΒ 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML out... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27745 The SPIP interface_traduction_objets plugin versions prior toΒ 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untruste... | 8.8 | HIGH | β | 0 |
| CVE-2026-27744 The SPIP tickets plugin versions prior toΒ 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted reque... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27743 The SPIP referer_spam plugin versions prior toΒ 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read th... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27641 Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and re... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27640 tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resour... | 7.5 | HIGH | β | 0 |
| CVE-2026-27639 Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27637 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27636 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htacce... | 8.8 | HIGH | β | 0 |
| CVE-2026-27627 Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it... | 8.2 | HIGH | β | 0 |
| CVE-2026-27597 Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be use... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-3146 A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null po... | 3.3 | LOW | β | 0 |
| CVE-2026-3145 A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27822 RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbi... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-27632 Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state... | 2.6 | LOW | β | 0 |
| CVE-2026-27629 InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-27628 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This h... | 7.5 | HIGH | β | 0 |
| CVE-2026-27626 OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dange... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-27621 TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27615 ADB Explorer is a fluent UI for ADB on Windows. In versions prior to Beta 0.9.26022, ADB-Explorer allows the `ManualAdbPath` settings variable, which determines the path of the ADB binary to be execut... | 7.8 | HIGH | β | 0 |
| CVE-2026-27614 Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payloa... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-27612 Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27611 FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the pa... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27610 Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-on... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27609 Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection.... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27608 Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce autho... | 8.1 | HIGH | β | 0 |
| CVE-2026-27607 RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allow... | 8.1 | HIGH | β | 0 |
| CVE-2026-27606 Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary Fil... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27595 Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security ... | 7.5 | HIGH | β | 0 |
| CVE-2026-25135 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire cont... | 4.5 | MEDIUM | β | 0 |
| CVE-2025-5781 Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center... | 5.2 | MEDIUM | β | 0 |
| CVE-2026-2914 CyberArk Endpoint Privilege Manager Agent versions 25.10.0 and lower allow potential unauthorized privilege elevation leveraging CyberArk elevation dialogs | 7.8 | HIGH | β | 0 |
| CVE-2026-25131 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types... | 8.8 | HIGH | β | 0 |
| CVE-2026-25127 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized use... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25124 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that al... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24896 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in OpenEMRβs edih_main.php... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24849 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, theΒ `disposeDocument()`Β method inΒ `EtherFaxActions.php`Β allows authenti... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-24847 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form module allows any authenticated user to be redirected... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21443 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrappe... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-69231 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assess... | 8.7 | HIGH | β | 0 |
| CVE-2025-68277 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent via Secure Messaging, clicking the link opens the w... | 5.0 | MEDIUM | β | 0 |
| CVE-2025-67752 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/T... | 8.1 | HIGH | β | 0 |
| CVE-2026-3137 A security vulnerability has been detected in CodeAstro Food Ordering System 1.0. This affects an unknown function of the file food_ordering.exe. Such manipulation leads to stack-based buffer overflow... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3135 A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.php. This manipulation of the argument Category caus... | 7.3 | HIGH | β | 0 |
| CVE-2026-27598 Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passin... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-67491 OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 h... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3134 A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin/edit-category.php. The manipulation of the argume... | 7.3 | HIGH | β | 0 |
| CVE-2026-3133 A vulnerability has been found in itsourcecode Document Management System 1.0. This issue affects some unknown processing of the file /loging.php of the component Login. The manipulation of the argume... | 7.3 | HIGH | β | 0 |
| CVE-2026-26351 GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provid... | 4.8 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.