CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-28270 Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators co... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-28268 Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password r... | 9.8 | CRITICAL | β | 0 |
| CVE-2018-25160 HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an appli... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3255 HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in ra... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28354 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify ano... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28231 pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attac... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27947 Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF ... | 8.8 | HIGH | β | 0 |
| CVE-2026-27836 phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF prote... | 7.5 | HIGH | β | 0 |
| CVE-2026-27832 Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `ad... | 8.8 | HIGH | β | 0 |
| CVE-2026-27824 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban ke... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-27810 calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Serv... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-27793 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, inc... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27792 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and pri... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-27734 Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "conta... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27707 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth... | 7.3 | HIGH | β | 0 |
| CVE-2026-27583 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27582 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27581 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27580 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27573 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27501 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27500 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27201 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-27200 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-26997 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-22717 Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the ... | 2.7 | LOW | β | 0 |
| CVE-2026-2880 A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router no... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27758 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into submi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-27757 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. A... | 7.1 | HIGH | β | 0 |
| CVE-2026-27756 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. At... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27755 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27754 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictab... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-22716 Out-of-bound write vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to terminate certainΒ Workstation processes. | 5.0 | MEDIUM | β | 0 |
| CVE-2026-27753 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interf... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-27752 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe netwo... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-27751 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attacke... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26862 CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuild... | 8.3 | HIGH | β | 0 |
| CVE-2026-26861 CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeD... | 8.3 | HIGH | β | 0 |
| CVE-2026-21619 Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Objec... | 7.5 | HIGH | β | 0 |
| CVE-2019-25497 osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send ... | 8.2 | HIGH | β | 0 |
| CVE-2019-25496 osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can mo... | 8.2 | HIGH | β | 0 |
| CVE-2019-25495 osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can sen... | 8.2 | HIGH | β | 0 |
| CVE-2019-25494 Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password... | 8.2 | HIGH | β | 0 |
| CVE-2019-25493 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requ... | 8.2 | HIGH | β | 0 |
| CVE-2019-25492 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET reque... | 8.2 | HIGH | β | 0 |
| CVE-2019-25491 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requ... | 8.2 | HIGH | β | 0 |
| CVE-2019-25490 Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET reques... | 8.2 | HIGH | β | 0 |
| CVE-2019-25489 Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET ... | 8.2 | HIGH | β | 0 |
| CVE-2026-2293 A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1... | N/A | NONE | β | 0 |
| CVE-2026-25147 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is tak... | 7.1 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.