CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-6967 Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.Thi... | 8.7 | HIGH | β | 0 |
| CVE-2025-15570 A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-15569 A flaw has been found in Artifex MuPDF up to 1.26.1 on Windows. The impacted element is the function get_system_dpi of the file platform/x11/win_main.c. This manipulation causes uncontrolled search pa... | 7.0 | HIGH | β | 0 |
| CVE-2025-11537 A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie a... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-2268 The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags`... | 7.5 | HIGH | β | 0 |
| CVE-2026-25656 A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3), User Management Component (UMC) (All versions < V2.15.2.1). The affected application permits improper modification of a conf... | 7.8 | HIGH | β | 0 |
| CVE-2026-25655 A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP2). The affected application permits improper modification of a configuration file by a low-privileged user. This could allow a... | 7.8 | HIGH | β | 0 |
| CVE-2026-24343 Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0. Users are recommended to... | 8.8 | HIGH | β | 0 |
| CVE-2026-23906 Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP aut... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23901 Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the ... | 2.5 | LOW | β | 0 |
| CVE-2026-23720 A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while pa... | 7.8 | HIGH | β | 0 |
| CVE-2026-23719 A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected application is vulnerable to heap-based buffer overflow while pars... | 7.8 | HIGH | β | 0 |
| CVE-2026-23718 A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while pa... | 7.8 | HIGH | β | 0 |
| CVE-2026-23717 A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while pa... | 7.8 | HIGH | β | 0 |
| CVE-2026-23716 A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while pa... | 7.8 | HIGH | β | 0 |
| CVE-2026-23715 A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds write vulnerability while p... | 7.8 | HIGH | β | 0 |
| CVE-2026-22923 A vulnerability has been identified in NX (All versions < V2512), NX (Managed Mode) (All versions < V2512). The affected application contains a data validation vulnerability that could allow an attack... | 7.8 | HIGH | β | 0 |
| CVE-2026-1922 The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1866 The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitizat... | 7.2 | HIGH | β | 0 |
| CVE-2025-40587 A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in docume... | 7.6 | HIGH | β | 0 |
| CVE-2025-14895 The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to acces... | 5.4 | MEDIUM | β | 0 |
| CVE-2024-52334 A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. This could allow an attacker to recover the ori... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-11242 Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery.This issue affects Okulistik: th... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1722 The WCFM Marketplace β Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the pl... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2099 AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2098 AgentFlow developed by Flowring has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing a... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2097 Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution... | 8.8 | HIGH | β | 0 |
| CVE-2026-2096 Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2095 Agentflow developed by Flowring has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain arbitrary user authentication token ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2094 Docpedia developed by Flowring has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | 8.8 | HIGH | β | 0 |
| CVE-2026-2093 Docpedia developed by Flowring has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 7.5 | HIGH | β | 0 |
| CVE-2025-12063 An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions. | 5.7 | MEDIUM | β | 0 |
| CVE-2026-0996 The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authoriza... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13064 A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a... | 4.5 | MEDIUM | β | 0 |
| CVE-2025-12757 An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitted to. | 4.6 | MEDIUM | β | 0 |
| CVE-2025-11547 AXIS Camera Station Pro contained a flaw toΒ perform a privilege escalation attack on the server as a non-admin user. | 7.8 | HIGH | β | 0 |
| CVE-2025-11142 The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or adm... | 7.1 | HIGH | β | 0 |
| CVE-2026-25981 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25980 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25979 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25978 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25977 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25976 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25975 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25974 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-25973 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-2260 A vulnerability was found in D-Link DCS-931L up to 1.13.0. This affects an unknown part of the file /goform/setSysAdmin. The manipulation of the argument AdminID results in os command injection. The a... | 7.2 | HIGH | β | 0 |
| CVE-2026-2259 A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsi... | 3.3 | LOW | β | 0 |
| CVE-2026-24328 SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposi... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-24327 Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unau... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.