CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-66002 An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper | N/A | NONE | β | 0 |
| CVE-2025-66003 An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThi... | N/A | NONE | β | 0 |
| CVE-2025-67603 A Improper Authorization vulnerability in FoomuuriΒ llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31. | N/A | NONE | β | 0 |
| CVE-2026-22028 Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 cau... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-22041 Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string type... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-22042 RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allow... | 8.8 | HIGH | β | 0 |
| CVE-2025-63611 Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the a... | 8.7 | HIGH | β | 0 |
| CVE-2025-67089 A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize us... | 8.1 | HIGH | β | 0 |
| CVE-2025-67090 The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechan... | 5.1 | MEDIUM | β | 0 |
| CVE-2025-67091 An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 & 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-67858 A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration... | N/A | NONE | β | 0 |
| CVE-2026-22244 OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must ... | 7.2 | HIGH | β | 0 |
| CVE-2026-22245 Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mec... | 7.5 | HIGH | β | 0 |
| CVE-2026-22255 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 ... | 8.8 | HIGH | β | 0 |
| CVE-2025-50334 An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component | 7.5 | HIGH | β | 0 |
| CVE-2025-55125 This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. | 7.8 | HIGH | β | 0 |
| CVE-2025-56424 An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script | 7.5 | HIGH | β | 0 |
| CVE-2025-59468 This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter. | 9.0 | CRITICAL | β | 0 |
| CVE-2025-59469 This vulnerability allows a Backup or Tape Operator to write files as root. | 9.0 | CRITICAL | β | 0 |
| CVE-2025-59470 This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. | 9.0 | CRITICAL | β | 0 |
| CVE-2026-0671 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).T... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21638 A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affec... | 8.8 | HIGH | β | 0 |
| CVE-2026-21639 A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Af... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14505 The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) h... | 5.6 | MEDIUM | β | 0 |
| CVE-2025-14436 The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βuser_connection_idβ parameter in all versions up to, and including, 4.0.49 due to insufficient inpu... | 7.2 | HIGH | β | 0 |
| CVE-2026-0732 A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attac... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-22714 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This iss... | N/A | NONE | β | 0 |
| CVE-2026-22630 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22631 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22632 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22633 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22634 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22635 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22636 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2025-14886 The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and incl... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-40977 Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to β/store-ticketβ, using the βsubjectβ ... | N/A | NONE | β | 0 |
| CVE-2025-13749 The Clearfy Cache β WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is du... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14803 The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscriber... | 6.8 | MEDIUM | β | 0 |
| CVE-2025-14574 The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it pos... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14718 The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verify... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14720 The Booking for Appointments and Events Calendar β Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14736 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14782 The Forminator Forms β Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14893 The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and outp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14980 The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated att... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15019 The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versio... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-15055 The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input... | 7.2 | HIGH | β | 0 |
| CVE-2025-15057 The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient i... | 7.2 | HIGH | β | 0 |
| CVE-2025-70974 Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that... | 10.0 | CRITICAL | β | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.