CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-21531 Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-21537 Improper control of generation of code ('code injection') in Microsoft Defender for Linux allows an unauthorized attacker to execute code over an adjacent network. | 8.8 | HIGH | β | 0 |
| CVE-2026-25577 Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malfo... | 7.5 | HIGH | β | 0 |
| CVE-2026-25611 A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server. | 7.5 | HIGH | β | 0 |
| CVE-2026-25612 The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this rep... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25646 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists ... | 8.1 | HIGH | β | 0 |
| CVE-2026-21345 Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory struct... | 7.8 | HIGH | β | 0 |
| CVE-2026-25728 ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #40, a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in ClipBucket's avatar and background image up... | 7.5 | HIGH | β | 0 |
| CVE-2026-25950 Rejected reason: Further research determined the issue is not a vulnerability. | N/A | NONE | β | 0 |
| CVE-2026-25956 Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21341 Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of t... | 7.8 | HIGH | β | 0 |
| CVE-2026-21342 Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of t... | 7.8 | HIGH | β | 0 |
| CVE-2026-21343 Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory struct... | 7.8 | HIGH | β | 0 |
| CVE-2026-21344 Substance3D - Stager versions 3.1.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory struct... | 7.8 | HIGH | β | 0 |
| CVE-2026-21348 Substance3D - Modeler versions 1.22.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sens... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-2303 The mongo-go-driver repositoryΒ contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incor... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-12699 The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS whe... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-1495 The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1507 The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service. | 7.5 | HIGH | β | 0 |
| CVE-2026-26006 AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The autogpt before 0.6.32 is vulnerable to Regular Expr... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25251 Rejected reason: This has been moved to the REJECTED state because the information source is under review. If circumstances change, it is possible that this will be moved to the PUBLISHED state at a l... | N/A | NONE | β | 0 |
| CVE-2026-25870 DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs serve... | 5.8 | MEDIUM | β | 0 |
| CVE-2025-47209 A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (Do... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25872 JUNG Smart Panel KNX firmware version L1.12.22 and prior contain an unauthenticated path traversal vulnerability in the embedded web interface. The application fails to properly validate file path inp... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13431 The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the βargsβ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supp... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14541 The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PH... | 7.2 | HIGH | β | 0 |
| CVE-2025-15524 The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and includi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1231 The Beaver Builder Page Builder β Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and incl... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1893 The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_label' parameter in the 'orbisius_random_name_generator' shortcode in all versions up ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-26036 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26037 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26038 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26039 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26040 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26041 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26042 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-26079 Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled. | 4.7 | MEDIUM | β | 0 |
| CVE-2025-15400 The OpenPix for WooCommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. T... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1235 The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1357 The Migration, Backup, Staging β WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-10912 Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables.This issue affects TemizlikYo... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-10913 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Cross-Site Scripting (XSS... | 8.3 | HIGH | β | 0 |
| CVE-2025-15440 The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanit... | 7.2 | HIGH | β | 0 |
| CVE-2025-9986 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation.This issue affects DIGIKENT: through ... | 8.2 | HIGH | β | 0 |
| CVE-2026-0724 The WPlyr Media Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wplyr_accent_color' parameter in all versions up to, and including, 1.3.0 due to insufficient input sa... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-0815 The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and ... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-1215 The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configur... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1560 The Custom Block Builder β Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. ... | 8.8 | HIGH | β | 0 |
| CVE-2026-1786 The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1804 The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficien... | 6.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.