CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-5206 A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-30521 A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific i... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3356 The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanis... | N/A | NONE | β | 0 |
| CVE-2026-5209 A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulat... | 2.4 | LOW | β | 0 |
| CVE-2026-5210 A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation... | 7.3 | HIGH | β | 0 |
| CVE-2026-2950 Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisorie... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-30280 An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 allows attackers to overwrite critical internal files via the file import process,... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-30285 An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code executi... | N/A | NONE | β | 0 |
| CVE-2026-30290 An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execu... | N/A | NONE | β | 0 |
| CVE-2026-34203 Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defi... | 2.7 | LOW | β | 0 |
| CVE-2026-34204 MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inje... | N/A | NONE | β | 0 |
| CVE-2026-34206 Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site sc... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34215 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized aut... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34365 InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnera... | 7.6 | HIGH | β | 0 |
| CVE-2026-34784 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the af... | 7.5 | HIGH | β | 0 |
| CVE-2026-4800 Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports ... | 8.1 | HIGH | β | 0 |
| CVE-2026-5211 A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1... | 8.8 | HIGH | β | 0 |
| CVE-2026-1579 The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-34366 InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnera... | 7.6 | HIGH | β | 0 |
| CVE-2026-34367 InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnera... | 7.6 | HIGH | β | 0 |
| CVE-2026-34372 Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via... | N/A | NONE | β | 0 |
| CVE-2026-34381 Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker im... | 7.5 | HIGH | β | 0 |
| CVE-2026-34382 Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validatin... | 4.6 | MEDIUM | β | 0 |
| CVE-2026-34383 Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, comple... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-34384 Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations ... | 4.5 | MEDIUM | β | 0 |
| CVE-2026-34394 WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlob... | 8.1 | HIGH | β | 0 |
| CVE-2026-34395 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balanc... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34396 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other outp... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34586 PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence β... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34611 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the p... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34613 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoin... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34716 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the ca... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-34731 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. T... | 7.5 | HIGH | β | 0 |
| CVE-2026-34732 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the compa... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34733 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34737 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. Thi... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34738 WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's statu... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-34739 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without apply... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34740 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrar... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3468 A stored Cross-Site Scripting (XSS) vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowi... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-3469 A denial-of-service (DoS) vulnerability exists due to improper input validation in the SonicWall Email Security appliance, allowing a remote authenticated attacker as admin user to cause the applicati... | 2.7 | LOW | β | 0 |
| CVE-2026-3470 A vulnerability exists in the SonicWall Email Security appliance due to improper input sanitization that may lead to data corruption, allowing a remote authenticated attacker as admin user could explo... | 3.8 | LOW | β | 0 |
| CVE-2026-5212 A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726... | 8.8 | HIGH | β | 0 |
| CVE-2026-5213 A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726... | 8.8 | HIGH | β | 0 |
| CVE-2026-34400 Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-sup... | N/A | NONE | β | 0 |
| CVE-2026-34401 XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by defau... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34404 Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the imageβgeneration component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Servi... | N/A | NONE | β | 0 |
| CVE-2026-34405 Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the imageβgeneration component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability t... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34406 APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the ed... | N/A | NONE | β | 0 |
| CVE-2026-34441 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves ... | 4.8 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.