CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-24810 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb (src/cjson modules). This vulnerability is associated with program files cJSON.Cc. This issue affects... | N/A | NONE | β | 0 |
| CVE-2020-36957 PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with ele... | 7.8 | HIGH | β | 0 |
| CVE-2020-36958 Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquo... | 7.8 | HIGH | β | 0 |
| CVE-2020-36959 IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquote... | 7.8 | HIGH | β | 0 |
| CVE-2020-36960 Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<sc... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-57783 Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-57784 Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. | 3.3 | LOW | β | 0 |
| CVE-2025-57785 A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-71178 Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs us... | N/A | NONE | β | 0 |
| CVE-2026-1446 There is a CrossβSite Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the applicat... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-24428 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the ad... | 8.8 | HIGH | β | 0 |
| CVE-2026-24429 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during i... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24430 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because... | 7.5 | HIGH | β | 0 |
| CVE-2026-24431 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the a... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24432 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administra... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24433 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation all... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24435 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device s... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24436 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24437 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store cred... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-24439 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers t... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24440 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing pa... | 8.8 | HIGH | β | 0 |
| CVE-2025-70368 Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then ren... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-11065 A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messag... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-11687 A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page β enabling DOM access, session cookie theft and other client-side attacks β via a... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14459 A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access t... | 8.5 | HIGH | β | 0 |
| CVE-2025-14525 A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14969 A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking conn... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-9615 A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon... | N/A | NONE | β | 0 |
| CVE-2026-1443 A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument... | 7.3 | HIGH | β | 0 |
| CVE-2026-24813 NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp. This issue affects SKRoot-linuxKe... | N/A | NONE | β | 0 |
| CVE-2026-24814 Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2. | N/A | NONE | β | 0 |
| CVE-2026-23864 Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulne... | 7.5 | HIGH | β | 0 |
| CVE-2025-59471 A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads exter... | 5.9 | MEDIUM | β | 0 |
| CVE-2025-59473 SQL Injection vulnerability in the Structure for Admin authenticated user | 7.2 | HIGH | β | 0 |
| CVE-2026-1444 A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such ma... | 2.4 | LOW | β | 0 |
| CVE-2026-1445 A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php.... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-22696 dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verifica... | N/A | NONE | β | 0 |
| CVE-2026-22709 vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23888 pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vul... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23889 pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-23890 pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24003 EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transitio... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24056 pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24131 pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malic... | 5.5 | MEDIUM | β | 0 |
| CVE-2025-30248 DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's searc... | N/A | NONE | β | 0 |
| CVE-2026-24123 BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attac... | 7.4 | HIGH | β | 0 |
| CVE-2026-24470 Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service o... | 8.1 | HIGH | β | 0 |
| CVE-2026-24476 Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-24815 Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability... | N/A | NONE | β | 0 |
| CVE-2026-1157 A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffe... | 8.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.