CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-31868 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or conten... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-31870 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.),... | 7.5 | HIGH | β | 0 |
| CVE-2026-31871 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storag... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31872 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypas... | 7.5 | HIGH | β | 0 |
| CVE-2026-31895 WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA (Web gerenciador para instituiçáes assistenciais) contains a SQL injection vulnerability in html/matPat/restaurar_prod... | 8.8 | HIGH | β | 0 |
| CVE-2026-31896 WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract(... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31900 Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31901 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) r... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-31954 Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks. | 0.0 | NONE | β | 0 |
| CVE-2026-31957 Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentica... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-32122 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-32123 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only cons... | 7.7 | HIGH | β | 0 |
| CVE-2026-32124 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) t... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32125 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32126 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/s... | 7.1 | HIGH | β | 0 |
| CVE-2026-32127 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library tha... | 8.8 | HIGH | β | 0 |
| CVE-2026-22319 A stack-based buffer overflow in the device's file installation workflow allows a high-privileged attacker to send oversized POST parameters that overflow a fixed-size stack buffer within an internal ... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-3918 Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-3919 Use after free in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML... | 8.8 | HIGH | β | 0 |
| CVE-2026-3920 Out of bounds memory access in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High... | 8.8 | HIGH | β | 0 |
| CVE-2026-3921 Use after free in TextEncoding in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-3922 Use after free in MediaStream in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-3939 Insufficient policy enforcement in PDF in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted PDF file. (Chromium security severity: Low) | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3940 Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Lo... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3941 Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Lo... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3942 Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4014 A security flaw has been discovered in itsourcecode Cafe Reservation System 1.0. This impacts an unknown function of the file /curvus2/signup.php of the component Registration. Performing a manipulati... | 7.3 | HIGH | β | 0 |
| CVE-2026-4039 A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to co... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-4040 A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure ... | 3.3 | LOW | β | 0 |
| CVE-2026-0809 Use of a custom token encoding algorithm in Streamsoft PrestiΕΌ software allowsΒ the value of the KSeF (Krajowy System e-Faktur)Β token to be guessedΒ after analyzing how tokens with know values are encod... | N/A | NONE | β | 0 |
| CVE-2026-2513 A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended ac... | N/A | NONE | β | 0 |
| CVE-2026-2514 In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed b... | N/A | NONE | β | 0 |
| CVE-2026-2987 The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and outpu... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21666 A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | 9.9 | CRITICAL | β | 0 |
| CVE-2019-25525 Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. A... | 8.2 | HIGH | β | 0 |
| CVE-2019-25526 Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the location parameter.... | 8.2 | HIGH | β | 0 |
| CVE-2019-25527 Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter.... | 8.2 | HIGH | β | 0 |
| CVE-2019-25528 Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter... | 8.2 | HIGH | β | 0 |
| CVE-2019-25529 Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. Attackers can send... | 7.1 | HIGH | β | 0 |
| CVE-2026-31841 Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While ... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-13462 The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in... | N/A | NONE | β | 0 |
| CVE-2026-26791 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26792 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version, current_version, firmware_upload, hash_t... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26794 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the add_group() function. This vulnerability allows attackers to execute arbitrary SQL database operations via a... | 8.8 | HIGH | β | 0 |
| CVE-2026-26795 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitr... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70245 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWizardSelectMode. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70873 An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. | 7.5 | HIGH | β | 0 |
| CVE-2026-26793 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted inp... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2376 A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the applicati... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-32138 NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Fo... | 8.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.