CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-26267 soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generate... | 7.5 | HIGH | — | 0 |
| CVE-2026-26205 opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treat... | N/A | NONE | — | 0 |
| CVE-2026-26203 PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26202 Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/e... | 7.5 | HIGH | — | 0 |
| CVE-2026-26201 emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activi... | 7.5 | HIGH | — | 0 |
| CVE-2026-26200 HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a deni... | 7.8 | HIGH | — | 0 |
| CVE-2026-26193 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a re... | 7.3 | HIGH | — | 0 |
| CVE-2026-26192 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within doc... | 7.3 | HIGH | — | 0 |
| CVE-2026-26189 Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 du... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-26063 CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed ... | N/A | NONE | — | 0 |
| CVE-2025-67304 In Ruckus Network Director (RND) < 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessibl... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27475 SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized... | 8.1 | HIGH | — | 0 |
| CVE-2026-27474 SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form,... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27473 SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an a... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-27472 SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-26059 ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would exec... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-26057 Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23621 GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2817 Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privi... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2409 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1. | N/A | NONE | — | 0 |
| CVE-2026-2243 A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condit... | 5.1 | MEDIUM | — | 0 |
| CVE-2026-26339 Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functiona... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-26338 Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-26337 Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal. | 8.2 | HIGH | — | 0 |
| CVE-2026-23620 GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListSe... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23619 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$Conte... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23618 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/Java... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23617 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Body) conditions interface. An authenticated user can supply HTML/JavaScr... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23616 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23615 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework Email Exceptions interface. An authenticated user can supply HTML/JavaSc... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23614 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScrip... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23613 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ct... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23612 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23611 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$Cont... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23610 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23609 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can supply HTML/JavaScript in t... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23608 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23607 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spam Whitelist management interface. An authenticated user can supply HTML/JavaScript in th... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23606 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScr... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23605 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23604 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in th... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-2232 The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to ins... | 7.5 | HIGH | — | 0 |
| CVE-2026-26336 Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive... | 7.5 | HIGH | — | 0 |
| CVE-2026-26030 Semantic Kernel, Microsoft's semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the `InMemoryVectorStore` filter functionality. The ... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-26016 Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with... | 8.1 | HIGH | — | 0 |
| CVE-2026-25998 strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database f... | 7.5 | HIGH | — | 0 |
| CVE-2026-24834 Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with C... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-1581 The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied... | 7.5 | HIGH | — | 0 |
| CVE-2025-69725 An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain. | 4.7 | MEDIUM | — | 0 |
| CVE-2025-69674 Buffer Overflow vulnerability in CDATA FD614GS3-R850 V3.2.7_P161006 (Build.0333.250211) allows an attacker to execute arbitrary code via the node_mac, node_opt, opt_param, and domainblk parameters of ... | 6.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.