CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-69762 Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the list parameter, which can cause memory corruption and enable remote code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69763 Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-68135 EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminat... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-12781 When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" ... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13465 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An attacker can pass crafted paths which cause Lodash to delete methods from global pro... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-68136 EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP soc... | 7.4 | HIGH | β | 0 |
| CVE-2025-68137 EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete head... | 8.3 | HIGH | β | 0 |
| CVE-2025-68138 EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are... | 4.7 | MEDIUM | β | 0 |
| CVE-2025-50002 Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server.This issue affects Energia: from n/a through <= 1.1.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22808 fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulne... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-22822 External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecre... | 8.8 | HIGH | β | 0 |
| CVE-2026-22849 Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any bac... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-23499 Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23958 Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the userβs password as the JWT signing secret. This deterministic secret derivation... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23961 Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow alre... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-23959 CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-23962 Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote p... | 7.5 | HIGH | β | 0 |
| CVE-2026-23963 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters,... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24034 Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are ... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-13335 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authent... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1225 ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the cla... | N/A | NONE | β | 0 |
| CVE-2026-1332 MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related informatio... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-10024 Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Mana... | 7.5 | HIGH | β | 0 |
| CVE-2025-10855 Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025... | 7.5 | HIGH | β | 0 |
| CVE-2025-10856 Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025. | 8.1 | HIGH | β | 0 |
| CVE-2025-14295 Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows.Β Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web ses... | N/A | NONE | β | 0 |
| CVE-2025-12738 Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability a... | N/A | NONE | β | 0 |
| CVE-2025-13927 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a de... | 7.5 | HIGH | β | 0 |
| CVE-2025-50003 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amul... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1328 A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manip... | 8.8 | HIGH | β | 0 |
| CVE-2026-1329 A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn... | 8.8 | HIGH | β | 0 |
| CVE-2025-32056 The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN t... | 4.0 | MEDIUM | β | 0 |
| CVE-2025-32057 The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 β 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-69820 Directory Traversal vulnerability in Beam beta9 v.0.1.521 allows a remote attacker to obtain sensitive information via the joinCleanPath function. | 6.0 | MEDIUM | β | 0 |
| CVE-2025-52762 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS.This issue affects flexo-... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-53240 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS.This issue affects W... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-54002 Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4. | 8.8 | HIGH | β | 0 |
| CVE-2025-54003 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects De... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-56589 A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could... | 7.5 | HIGH | β | 0 |
| CVE-2025-5805 Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2. | 8.8 | HIGH | β | 0 |
| CVE-2025-62050 Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic.This issue affects Blogmatic: from n/a through <= 1.0.3. | 9.9 | CRITICAL | β | 0 |
| CVE-2025-62056 Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event.This issue affects News Event: from n/a through <= 1.0.1. | 9.9 | CRITICAL | β | 0 |
| CVE-2025-62077 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker allows Stored XSS.This issue affe... | 5.9 | MEDIUM | β | 0 |
| CVE-2025-62106 Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a throu... | 8.8 | HIGH | β | 0 |
| CVE-2025-62741 Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery.This issue affects Pool Services: from n/a through <= 3.3. | 9.1 | CRITICAL | β | 0 |
| CVE-2025-66139 Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: ... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-66140 Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-66141 Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scroller: from n/a through <= 2.0.2. | 5.4 | MEDIUM | β | 0 |
| CVE-2025-66142 Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comparimag... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-66143 Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crumber: from n/a through <= 1.0.1... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.