CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-25237 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25484 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displa... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-25485 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-25486 Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administratorβs ... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-25487 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | β | 0 |
| CVE-2020-37065 StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a m... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25522 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | β | 0 |
| CVE-2025-10878 A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unau... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-62601 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, m... | 7.5 | HIGH | β | 0 |
| CVE-2025-62602 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, m... | 7.5 | HIGH | β | 0 |
| CVE-2025-62603 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that car... | 7.5 | HIGH | β | 0 |
| CVE-2026-24434 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24441 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. | 5.9 | MEDIUM | β | 0 |
| CVE-2026-25614 Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 7.5 | HIGH | β | 0 |
| CVE-2026-25615 Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | 7.2 | HIGH | β | 0 |
| CVE-2026-25616 Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. | 4.7 | MEDIUM | β | 0 |
| CVE-2025-65077 A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code... | N/A | NONE | β | 0 |
| CVE-2025-65078 An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. | N/A | NONE | β | 0 |
| CVE-2025-65079 A heap-based buffer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as... | N/A | NONE | β | 0 |
| CVE-2025-65080 A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivil... | N/A | NONE | β | 0 |
| CVE-2025-65081 An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unp... | N/A | NONE | β | 0 |
| CVE-2020-37067 Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 by... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37070 CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a spe... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37072 Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript pa... | 7.2 | HIGH | β | 0 |
| CVE-2020-37073 Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malici... | 8.8 | HIGH | β | 0 |
| CVE-2020-37074 Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malic... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37075 LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious paylo... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37076 Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability ... | 8.2 | HIGH | β | 0 |
| CVE-2020-37077 Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploi... | 6.5 | MEDIUM | β | 0 |
| CVE-2020-37089 School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerab... | 8.2 | HIGH | β | 0 |
| CVE-2020-37090 School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attac... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37091 Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms ... | 5.3 | MEDIUM | β | 0 |
| CVE-2020-37092 Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded ... | 7.5 | HIGH | β | 0 |
| CVE-2020-37093 Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET req... | 7.5 | HIGH | β | 0 |
| CVE-2026-1341 Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | N/A | NONE | β | 0 |
| CVE-2026-25148 Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote atta... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-25149 Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21393 Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note t... | N/A | NONE | β | 0 |
| CVE-2026-22875 Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note t... | N/A | NONE | β | 0 |
| CVE-2026-23704 A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Typ... | N/A | NONE | β | 0 |
| CVE-2026-24447 If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedde... | N/A | NONE | β | 0 |
| CVE-2026-1819 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPor... | 8.8 | HIGH | β | 0 |
| CVE-2025-15268 The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficien... | 7.5 | HIGH | β | 0 |
| CVE-2026-0742 The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficien... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0743 The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input saniti... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-0816 The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping o... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-1370 The SIBS woocommerce payment gateway plugin for WordPress is vulnerable to time-based SQL Injection via the βreferencedIdβ parameter in all versions up to, and including, 2.2.0 due to insufficient esc... | 4.9 | MEDIUM | β | 0 |
| CVE-2025-41085 Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files... | N/A | NONE | β | 0 |
| CVE-2026-1622 Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obf... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.