CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2019-25347 thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 t... | 7.5 | HIGH | β | 0 |
| CVE-2019-25346 TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 ... | 7.5 | HIGH | β | 0 |
| CVE-2019-25345 Realtek IIS Codec Service 6.4.10041.133 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in th... | 7.8 | HIGH | β | 0 |
| CVE-2019-25344 Wondershare MobileGo 8.5.0 contains an insecure file permissions vulnerability that allows local users to modify executable files in the application directory. Attackers can replace the original Mobil... | 7.8 | HIGH | β | 0 |
| CVE-2019-25343 NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious fil... | 7.8 | HIGH | β | 0 |
| CVE-2026-26219 newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who ob... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-26218 newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset t... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22821 mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4. | 4.9 | MEDIUM | β | 0 |
| CVE-2026-21438 webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-21435 webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport se... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-21434 webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_C... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-70981 CordysCRM 1.4.1 is vulnerable to SQL Injection in the employee list query interface (/user/list) via the departmentIds parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69807 p2r3 Bareiron commit: 8e4d4020d is vulnerable to Buffer Overflow, which allows unauthenticated remote attackers to cause a denial of service via a packet sent to the server. | 7.5 | HIGH | β | 0 |
| CVE-2025-69806 p2r3 bareiron commit: 8e4d4020d contains an Out-of-bounds Read, which allows unauthenticated remote attackers to get relative information leakage via a packet sent to the server | 7.5 | HIGH | β | 0 |
| CVE-2025-63421 An issue in filosoft Comerc.32 Commercial Invoicing v.16.0.0.3 allows a local attacker to execute arbitrary code via the comeinst.exe file | 7.8 | HIGH | β | 0 |
| CVE-2025-54519 A DLL hijacking vulnerability in Doc Nav could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | 7.3 | HIGH | β | 0 |
| CVE-2025-52533 Improper Access Control in an on-chip debug interface could allow a privileged attacker to enable a debug interface and potentially compromise data confidentiality or integrity. | N/A | NONE | β | 0 |
| CVE-2024-36319 Debug code left active in AMD's Video Decoder Engine Firmware (VCN FW) could allow a attacker to submit a maliciously crafted command causing the VCN FW to perform read/writes HW registers, potentiall... | N/A | NONE | β | 0 |
| CVE-2023-31323 Type confusion in the AMD Secure Processor (ASP) could allow an attacker to pass a malformed argument to the External Global Memory Interconnect Trusted Agent (XGMI TA) leading to a memory safety viol... | N/A | NONE | β | 0 |
| CVE-2023-20601 Improper input validation within RAS TA Driver can allow a local attacker to access out-of-bounds memory, potentially resulting in a denial-of-service condition. | N/A | NONE | β | 0 |
| CVE-2025-61880 In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution. | 8.8 | HIGH | β | 0 |
| CVE-2025-61879 In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism. | 7.7 | HIGH | β | 0 |
| CVE-2025-55210 FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticat... | 7.5 | HIGH | β | 0 |
| CVE-2025-54756 BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that is guessable with knowledge of the device information. The latest relea... | 8.4 | HIGH | β | 0 |
| CVE-2026-26217 Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauth... | 8.6 | HIGH | β | 0 |
| CVE-2026-26216 Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-26214 Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpCli... | 7.4 | HIGH | β | 0 |
| CVE-2025-70886 An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the public comment submission endpoint | 7.5 | HIGH | β | 0 |
| CVE-2025-69752 An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in t... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-69634 Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who ind... | 9.0 | CRITICAL | β | 0 |
| CVE-2025-56647 npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attac... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1104 The FastDup β Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all ve... | 8.8 | HIGH | β | 0 |
| CVE-2025-14014 Unrestricted Upload of File with Dangerous Type vulnerability in NTN Information Processing Services Computer Software Hardware Industry and Trade Ltd. Co. Smart Panel allows Accessing Functionality N... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-31313 An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attacker to send malformed messages to the system management unit (SMU) potentially resulting i... | 7.2 | HIGH | β | 0 |
| CVE-2026-2007 Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we ... | 8.2 | HIGH | β | 0 |
| CVE-2026-2006 Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code... | 8.8 | HIGH | β | 0 |
| CVE-2026-2005 Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.... | 8.8 | HIGH | β | 0 |
| CVE-2026-2004 Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database... | 8.8 | HIGH | β | 0 |
| CVE-2026-2003 Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confiden... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1320 The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up to, and including, 4.9... | 7.2 | HIGH | β | 0 |
| CVE-2025-13004 Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commer... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-13002 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (X... | 8.2 | HIGH | β | 0 |
| CVE-2025-10969 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection.This issue... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1671 The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1316 The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media[].href' parameter in all versions up to, and including, 5.97.0 due to insufficient... | 7.2 | HIGH | β | 0 |
| CVE-2026-2276 Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not pr... | N/A | NONE | β | 0 |
| CVE-2025-15575 The firmware update functionality does not verify the authenticity of the supplied firmware update files. This allows attackers to flash malicious firmware update files on the device.Β Initial analysis... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-15574 When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The pas... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15573 The affected devices do not validate the server certificate when connecting to the SolaX Cloud MQTTS server hosted in the Alibaba Cloud (mqtt001.solaxcloud.com, TCP 8883). This allows attackers in a m... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-1356 The Converter for Media β Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::lo... | 4.8 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.