CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2019-25467 Verypdf docPrint Pro 8.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized alphanumeric encoded pay... | 8.4 | HIGH | β | 0 |
| CVE-2019-25469 Folder Lock 7.7.9 contains a buffer overflow vulnerability in the serial number registration field that allows local attackers to crash the application by submitting an oversized payload. Attackers ca... | 6.2 | MEDIUM | β | 0 |
| CVE-2019-25470 eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint.... | 7.5 | HIGH | β | 0 |
| CVE-2019-25474 Easy MP3 Downloader 4.7.8.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long unlock code. Attackers can generate a file co... | 6.2 | MEDIUM | β | 0 |
| CVE-2019-25475 SQL Server Password Changer 1.90 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. Attackers can inject 6000 bytes of dat... | 6.2 | MEDIUM | β | 0 |
| CVE-2016-20026 ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hard... | 9.8 | CRITICAL | β | 0 |
| CVE-2016-20027 ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanit... | 6.1 | MEDIUM | β | 0 |
| CVE-2016-20028 ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attac... | 4.3 | MEDIUM | β | 0 |
| CVE-2016-20029 ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipul... | 6.2 | MEDIUM | β | 0 |
| CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attack... | 9.8 | CRITICAL | β | 0 |
| CVE-2016-20031 ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers c... | 5.5 | MEDIUM | β | 0 |
| CVE-2019-25605 EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use ... | 7.5 | HIGH | β | 0 |
| CVE-2026-4639 Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating pr... | 8.8 | HIGH | β | 0 |
| CVE-2019-25636 Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Attackers can sen... | 8.2 | HIGH | β | 0 |
| CVE-2019-25638 Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. A... | 7.1 | HIGH | β | 0 |
| CVE-2019-25641 Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can se... | 8.2 | HIGH | β | 0 |
| CVE-2019-25643 eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attac... | 8.2 | HIGH | β | 0 |
| CVE-2026-34446 Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path tra... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-39395 Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39863 Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attacker... | 7.5 | HIGH | β | 0 |
| CVE-2026-39864 Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers t... | 4.4 | MEDIUM | β | 0 |
| CVE-2023-54358 WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. At... | 6.1 | MEDIUM | β | 0 |
| CVE-2023-54359 WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid'... | 8.2 | HIGH | β | 0 |
| CVE-2023-54360 Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft mali... | 6.1 | MEDIUM | β | 0 |
| CVE-2018-25258 RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers ca... | 8.4 | HIGH | β | 0 |
| CVE-2019-25691 Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitatio... | 8.4 | HIGH | β | 0 |
| CVE-2019-25695 R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a paylo... | 8.4 | HIGH | β | 0 |
| CVE-2025-15441 The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain co... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-3830 The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injec... | 8.6 | HIGH | β | 0 |
| CVE-2026-35337 Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deseri... | 8.8 | HIGH | β | 0 |
| CVE-2026-26460 A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (get... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34614 Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34627 InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploita... | 7.8 | HIGH | β | 0 |
| CVE-2026-34629 InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploita... | 7.8 | HIGH | β | 0 |
| CVE-2026-27282 ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability... | 7.5 | HIGH | β | 0 |
| CVE-2025-53444 Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11. | 4.3 | MEDIUM | β | 0 |
| CVE-2025-67841 Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. | 7.5 | HIGH | β | 0 |
| CVE-2025-12141 In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions βalert.notifications:writeβ or βalert.notifications.receivers:testβ that are granted as part... | 6.5 | MEDIUM | β | 0 |
| CVE-2019-25575 SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Att... | 8.2 | HIGH | β | 0 |
| CVE-2019-25576 Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Atta... | 8.2 | HIGH | β | 0 |
| CVE-2019-25577 SeoToaster Ecommerce 3.0.0 contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files by manipulating path parameters in backend theme endpoints. Attacke... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-30625 Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Al... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-39374 Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue acro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-35407 Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmati... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34538 Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with t... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34512 OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termina... | 8.1 | HIGH | β | 0 |
| CVE-2026-35626 OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35638 OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verific... | 8.8 | HIGH | β | 0 |
| CVE-2026-35639 OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader opera... | 8.8 | HIGH | β | 0 |
| CVE-2026-5054 NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker m... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.