CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-3534 The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3824 IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website. | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3825 IFTOP developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attac... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3826 IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-14024 An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then explo... | 6.7 | MEDIUM | β | 0 |
| CVE-2024-14025 An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerabili... | 6.7 | MEDIUM | β | 0 |
| CVE-2024-14026 A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then explo... | 7.8 | HIGH | β | 0 |
| CVE-2026-1708 The Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to ... | 7.5 | HIGH | β | 0 |
| CVE-2026-2917 The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. Th... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2918 The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is du... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-32334 Missing Authorization vulnerability in raratheme JobScout jobscout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobScout: from n/a through <= 1.1.7. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3903 The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1454 The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. T... | 7.2 | HIGH | β | 0 |
| CVE-2026-1992 The ExactMetrics β Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in th... | 8.8 | HIGH | β | 0 |
| CVE-2026-1993 The ExactMetrics β Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accep... | 8.8 | HIGH | β | 0 |
| CVE-2026-3231 The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the Woo... | 7.2 | HIGH | β | 0 |
| CVE-2019-25478 GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP responses with excessively long headers. Attackers ca... | 7.5 | HIGH | β | 0 |
| CVE-2026-3492 The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3906 WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1965 libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent reques... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3783 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3784 curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a s... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3805 When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | 7.5 | HIGH | β | 0 |
| CVE-2026-3178 The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sani... | 7.2 | HIGH | β | 0 |
| CVE-2026-3943 A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command... | 7.3 | HIGH | β | 0 |
| CVE-2026-3944 A vulnerability was determined in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /att_add.php. This manipulation of the argument Name causes sql inj... | 7.3 | HIGH | β | 0 |
| CVE-2026-32059 OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag check... | 8.8 | HIGH | β | 0 |
| CVE-2026-32060 OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch i... | 8.8 | HIGH | β | 0 |
| CVE-2026-32061 OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attack... | 4.4 | MEDIUM | β | 0 |
| CVE-2019-25480 ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences... | 7.5 | HIGH | β | 0 |
| CVE-2026-5583 A security vulnerability has been detected in PHPGurukul Online Shopping Portal Project 2.1. This affects an unknown part of the file /my-profile.php of the component Parameter Handler. The manipulati... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-32063 OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF char... | 7.1 | HIGH | β | 0 |
| CVE-2026-3496 The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user suppl... | 7.5 | HIGH | β | 0 |
| CVE-2026-3904 Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on i... | 6.2 | MEDIUM | β | 0 |
| CVE-2025-67298 An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile | 8.1 | HIGH | β | 0 |
| CVE-2025-70027 An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. This allows attackers to obtain sensitive information | 7.5 | HIGH | β | 0 |
| CVE-2025-70330 Easy Grade Pro 4.1.0.2 contains a file parsing logic flaw in the handling of proprietary .EGP gradebook files. By modifying specific fields at precise offsets within an otherwise valid .EGP file, an a... | 3.3 | LOW | β | 0 |
| CVE-2026-30900 Improper Check of minimum version in update functionality of certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local access. | 7.8 | HIGH | β | 0 |
| CVE-2026-3946 A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site ... | 3.5 | LOW | β | 0 |
| CVE-2025-12576 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticat... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-12690 Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine through 6.10.19,Β through 7.3.0, through 7.2.4, through 7.1.10. | N/A | NONE | β | 0 |
| CVE-2025-12697 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-... | 2.2 | LOW | β | 0 |
| CVE-2025-12704 GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual R... | 3.5 | LOW | β | 0 |
| CVE-2025-13690 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a deni... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20116 A vulnerability in the web-based management interface of Cisco Finesse, Cisco Packaged Contact Center Enterprise (Packaged CCE), Cisco Unified Contact Center Enterprise (Unified CCE), Cisco Unif... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-13929 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a den... | 7.5 | HIGH | β | 0 |
| CVE-2025-14513 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a de... | 7.5 | HIGH | β | 0 |
| CVE-2026-0602 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose meta... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1069 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted ... | 7.5 | HIGH | β | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.