CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-30560 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The app... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-12886 The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unaut... | 7.2 | HIGH | β | 0 |
| CVE-2016-20045 HNB Organizer 1.9.18-10 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -rc command-line parameter. Attac... | 8.4 | HIGH | β | 0 |
| CVE-2016-20046 zFTP Client 20061220+dfsg3-4.1 contains a buffer overflow vulnerability in the NAME parameter handling of FTP connections that allows local attackers to crash the application or execute arbitrary code... | 8.4 | HIGH | β | 0 |
| CVE-2016-20047 EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerability in the username handling that allows local attackers to execute arbitrary code by supplying an oversized username string. Att... | 8.4 | HIGH | β | 0 |
| CVE-2016-20048 iSelect 1.4.0-2+b1 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized value to the -k/--key parameter. Attackers can craft a... | 8.4 | HIGH | β | 0 |
| CVE-2017-20225 TiEmu 2.08 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting inadequate boundary checks on user-supplied input. Attackers can... | 9.8 | CRITICAL | β | 0 |
| CVE-2018-25225 SIPP 3.3 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious input in the configuration file. Attackers ca... | 8.4 | HIGH | β | 0 |
| CVE-2026-2595 The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30566 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_customers.php file via the "limit" parameter. The... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-5019 A security vulnerability has been detected in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file all-orders.php of the component Paramet... | 7.3 | HIGH | β | 0 |
| CVE-2026-4851 GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-32980 OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources... | 7.5 | HIGH | β | 0 |
| CVE-2026-32987 OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times be... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33572 OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcrip... | 8.4 | HIGH | β | 0 |
| CVE-2026-21712 A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing t... | N/A | NONE | β | 0 |
| CVE-2026-5046 A flaw has been found in Tenda FH1201 1.2.0.14(408). Affected is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component Parameter Handler. Executing a manipulation of the argume... | 8.8 | HIGH | β | 0 |
| CVE-2026-34005 In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (T... | 8.8 | HIGH | β | 0 |
| CVE-2018-25228 NetSetMan 4.7.1 contains a buffer overflow vulnerability in the Workgroup feature that allows local attackers to crash the application by supplying oversized input. Attackers can create a malicious co... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-0560 A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function... | 7.5 | HIGH | β | 0 |
| CVE-2026-0558 A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not e... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-5107 A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation lea... | 4.2 | MEDIUM | β | 0 |
| CVE-2026-2328 An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information... | 7.5 | HIGH | β | 0 |
| CVE-2018-25229 BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string.... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-3945 An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (D... | 7.5 | HIGH | β | 0 |
| CVE-2026-4415 Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location... | 8.1 | HIGH | β | 0 |
| CVE-2026-4416 The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine... | 7.8 | HIGH | β | 0 |
| CVE-2026-1612 AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app it... | N/A | NONE | β | 0 |
| CVE-2026-5128 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2018-25230 Free IP Switcher 3.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Computer Name field. Attackers can pas... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-4425 Rejected reason: Reserved for EastLink case, but no need for CVE anymore | N/A | NONE | β | 0 |
| CVE-2026-4266 An Insecure Deserialization vulnerability in WatchGuard Fireware OS allows an attacker that has obtained write access to the local filesystem through another vulnerability to execute arbitrary code in... | N/A | NONE | β | 0 |
| CVE-2026-4315 A Cross-Site Request Forgery (CSRF) vulnerability in the WatchGuard Fireware OS WebUI could allow a remote attacker to trigger a denial-of-service (DoS) condition in the Fireware Web UI by convincing ... | N/A | NONE | β | 0 |
| CVE-2026-30457 An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute arbitrary code via crafted PHP code. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25903 Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-27196 Statmatic is a Laravel and Git powered content management system (CMS). Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which al... | 8.1 | HIGH | β | 0 |
| CVE-2026-21902 An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-b... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-48611 In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. ... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-32851 MailEnable versions prior toΒ 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-32852 MailEnable versions prior toΒ 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-32642 Incorrect Authorization (CWE-863)Β vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscriptio... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33680 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, ... | 7.5 | HIGH | β | 0 |
| CVE-2026-29969 A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30458 An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-30463 Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component. | 7.7 | HIGH | β | 0 |
| CVE-2026-32284 The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allow... | 7.5 | HIGH | β | 0 |
| CVE-2026-3531 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4946 Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI... | 8.8 | HIGH | β | 0 |
| CVE-2026-28526 BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller LIST_PLAYER_APPLICATION_SETTING_ATTRIBUTES and LIST_PLAYER_APPLICATION_SETTING_VALUES ha... | 3.5 | LOW | β | 0 |
| CVE-2026-28527 BlueKitchen BTstack versions prior to 1.8.1 contain an out-of-bounds read vulnerability in the AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_T... | 3.5 | LOW | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.