CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-2351 The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authent... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-40107 SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Me... | 6.5 | MEDIUM | — | 0 |
| CVE-2019-25562 jetAudio 8.1.7 contains a buffer overflow vulnerability in the video converter component that allows local attackers to crash the application by supplying an oversized string in the File Naming field.... | 5.5 | MEDIUM | — | 0 |
| CVE-2019-25595 jetAudio 8.1.7.20702 Basic contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string through the URL input handler. Attack... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25598 HeidiSQL Portable 10.1.0.5464 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers c... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25599 Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25600 UltraVNC Viewer 1.2.2.4 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized string to the VNC Server input field. Attackers can paste a ... | 6.5 | MEDIUM | — | 0 |
| CVE-2019-25601 UltraVNC Launcher 1.2.2.4 contains a buffer overflow vulnerability in the Path vncviewer.exe property field that allows local attackers to crash the application by supplying an excessively long string... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25602 GSearch 1.0.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting an excessively long string in the search bar. Attackers can paste a buffer ... | 5.5 | MEDIUM | — | 0 |
| CVE-2019-25603 TuneClone 2.20 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious license code string. Attackers... | 8.4 | HIGH | — | 0 |
| CVE-2019-25606 Fast AVI MPEG Joiner 1.2.0812 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the License Name field. Attackers can c... | 5.5 | MEDIUM | — | 0 |
| CVE-2018-25243 FastTube 1.0.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Attackers can pas... | 6.2 | MEDIUM | — | 0 |
| CVE-2018-25244 Eco Search 1.0.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Attackers can p... | 6.2 | MEDIUM | — | 0 |
| CVE-2018-25245 7 Tik 1.0.1.0 contains a denial of service vulnerability that allows attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a ... | 7.5 | HIGH | — | 0 |
| CVE-2018-25251 Snes9K 0.0.9z contains a buffer overflow vulnerability in the Netplay Socket Port Number field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Attackers can craf... | 8.4 | HIGH | — | 0 |
| CVE-2018-25246 Wikipedia 12.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can p... | 7.5 | HIGH | — | 0 |
| CVE-2019-25656 R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious i... | 8.4 | HIGH | — | 0 |
| CVE-2019-25658 a-Mac Address Change 5.4 contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input to registration form fields. Attackers can pas... | 5.5 | MEDIUM | — | 0 |
| CVE-2019-25661 Remote Process Explorer 1.0.0.16 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by sending a crafted payload to the Add Computer dialog. Attackers ca... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-27776 IM-LogicDesigner module of intra-mart Accel Platform contains insecure deserialization issue. This can be exploited only when IM-LogicDesigner is deployed on the system. Arbitrary code may be executed... | 8.8 | HIGH | — | 0 |
| CVE-2026-32027 OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can ex... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32767 SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is s... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-33040 libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and ... | 7.5 | HIGH | — | 0 |
| CVE-2026-33041 WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker ca... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33055 tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE... | 8.1 | HIGH | — | 0 |
| CVE-2026-33066 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdo... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-33067 SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package ... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-33186 gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go serve... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-33204 SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used... | 7.5 | HIGH | — | 0 |
| CVE-2026-33221 Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-s... | N/A | NONE | — | 0 |
| CVE-2026-33210 Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or inf... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-33549 SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling. | 6.7 | MEDIUM | — | 0 |
| CVE-2026-33352 WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowC... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3635 Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4647 A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF objec... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4645 Rejected reason: Duplicate of CVE-2026-32287 | N/A | NONE | — | 0 |
| CVE-2026-27448 pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled ex... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27894 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF e... | 8.8 | HIGH | — | 0 |
| CVE-2026-27895 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly vali... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28673 xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containi... | 7.2 | HIGH | — | 0 |
| CVE-2026-28674 xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to... | 7.2 | HIGH | — | 0 |
| CVE-2026-32815 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id... | 7.5 | HIGH | — | 0 |
| CVE-2026-29109 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the Save... | 7.2 | HIGH | — | 0 |
| CVE-2026-29189 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control L... | 8.1 | HIGH | — | 0 |
| CVE-2026-32697 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by modul... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-32756 Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF... | 8.8 | HIGH | — | 0 |
| CVE-2026-32757 Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecar... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32753 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32754 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-30874 OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable fil... | 7.8 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.