CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-30702 The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, al... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30703 A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input pr... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33040 libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and ... | 7.5 | HIGH | β | 0 |
| CVE-2026-33041 WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker ca... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33055 tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE... | 8.1 | HIGH | β | 0 |
| CVE-2026-33066 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdo... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-33067 SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package ... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-4438 Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostn... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-55988 An issue in the component /Controllers/RestController.php of DreamFactory Core v1.0.3 allows attackers to execute a directory traversal via an unsanitized URI path. | 7.2 | HIGH | β | 0 |
| CVE-2025-63261 AWStats 8.0 is vulnerable to Command Injection via the open function | 7.8 | HIGH | β | 0 |
| CVE-2026-33140 PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (X... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27284 InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory str... | 7.8 | HIGH | β | 0 |
| CVE-2026-3572 The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verifica... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4598 Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative in... | 7.5 | HIGH | β | 0 |
| CVE-2026-4599 Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functio... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-4602 Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation o... | 7.5 | HIGH | β | 0 |
| CVE-2026-33479 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array v... | 8.8 | HIGH | β | 0 |
| CVE-2026-1046 Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a userβs system via the user clicking on... | 7.6 | HIGH | β | 0 |
| CVE-2026-27115 ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below have an unvalidated command-line argument that allows any user to trigger recursive deletion of arbitrary directories on th... | 7.1 | HIGH | β | 0 |
| CVE-2026-23939 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability... | 7.5 | HIGH | β | 0 |
| CVE-2026-2749 Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, ... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-32008 OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access t... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32009 OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static default directories including writable package-manager paths like /op... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-32020 OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under ... | 3.3 | LOW | β | 0 |
| CVE-2026-32025 OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deploymen... | 7.5 | HIGH | β | 0 |
| CVE-2026-32815 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id... | 7.5 | HIGH | β | 0 |
| CVE-2026-29109 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the Save... | 7.2 | HIGH | β | 0 |
| CVE-2026-29189 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control L... | 8.1 | HIGH | β | 0 |
| CVE-2026-32697 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by modul... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32756 Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF... | 8.8 | HIGH | β | 0 |
| CVE-2026-32757 Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecar... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32052 OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers af... | 6.4 | MEDIUM | β | 0 |
| CVE-2019-25546 NetAware 1.20 contains a buffer overflow vulnerability in the Share Name field that allows local attackers to crash the application by supplying an excessively long string. Attackers can trigger a den... | 6.2 | MEDIUM | β | 0 |
| CVE-2019-25547 NetAware 1.20 contains a buffer overflow vulnerability in the User Blocking feature that allows local attackers to crash the application by supplying oversized input. Attackers can paste a malicious b... | 6.2 | MEDIUM | β | 0 |
| CVE-2019-25551 Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attack... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-4600 Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related... | 7.4 | HIGH | β | 0 |
| CVE-2026-32816 Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state chang... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-32818 Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32939 DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsin... | 8.1 | HIGH | β | 0 |
| CVE-2026-33142 OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name va... | 8.1 | HIGH | β | 0 |
| CVE-2026-33164 libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This... | 7.5 | HIGH | β | 0 |
| CVE-2026-32913 OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redi... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-4611 A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the a... | 7.2 | HIGH | β | 0 |
| CVE-2026-32911 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-32912 Rejected reason: This CVE ID has been rejected. | N/A | NONE | β | 0 |
| CVE-2026-34979 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when buil... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35574 ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissio... | 7.3 | HIGH | β | 0 |
| CVE-2026-35580 Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated di... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-35581 Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values β including the PLACE_NAME pa... | 7.2 | HIGH | β | 0 |
| CVE-2026-35585 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser β wh... | 7.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.