CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-1614 The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and includi... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3166 A vulnerability was identified in Tenda F453 1.0.0.3. The affected element is the function fromRouteStatic of the file /goform/RouteStatic of the component httpd. Such manipulation of the argument pag... | 8.8 | HIGH | — | 0 |
| CVE-2026-3167 A security flaw has been discovered in Tenda F453 1.0.0.3. The impacted element is the function formWebTypeLibrary of the file /goform/webtypelibrary of the component httpd. Performing a manipulation ... | 8.8 | HIGH | — | 0 |
| CVE-2026-3168 A weakness has been identified in Tenda F453 1.0.0.3. This affects the function fromNatStaticSetting of the file /goform/NatStaticSetting of the component httpd. Executing a manipulation of the argume... | 8.8 | HIGH | — | 0 |
| CVE-2025-11563 URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the... | 4.6 | MEDIUM | — | 0 |
| CVE-2026-3169 A security vulnerability has been detected in Tenda F453 1.0.0.3. This impacts the function fromSafeEmailFilter of the file /goform/SafeEmailFilter of the component httpd. The manipulation of the argu... | 8.8 | HIGH | — | 0 |
| CVE-2026-3170 A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected is an unknown function of the file /patient-search.php. The manipulation of the... | 2.4 | LOW | — | 0 |
| CVE-2026-1916 The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wp... | 7.5 | HIGH | — | 0 |
| CVE-2026-1929 The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled ... | 8.8 | HIGH | — | 0 |
| CVE-2026-2416 The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied par... | 7.5 | HIGH | — | 0 |
| CVE-2026-2479 The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of `strpos()` for substring-base... | 5.0 | MEDIUM | — | 0 |
| CVE-2025-14742 The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2301 The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` functi... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2367 The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-2410 The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce vali... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-62878 A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended ... | 9.9 | CRITICAL | — | 0 |
| CVE-2025-67601 A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the –cacert ... | 8.3 | HIGH | — | 0 |
| CVE-2025-67860 A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials... | 3.8 | LOW | — | 0 |
| CVE-2026-22424 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Shaha shaha allows PHP Local File Inclusion.This issue affects Sha... | 8.1 | HIGH | — | 0 |
| CVE-2026-0704 In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to ... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-21725 A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to ... | 2.6 | LOW | — | 0 |
| CVE-2026-2624 Missing Authentication for Critical Function vulnerability in ePati Cyber Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows Authentication Bypass.This issue affects Antikor N... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-28193 In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint | 8.8 | HIGH | — | 0 |
| CVE-2026-28194 In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28195 In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28196 In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk | 2.3 | LOW | — | 0 |
| CVE-2026-3185 A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the ar... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27691 iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication t... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-27692 iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Re... | 7.1 | HIGH | — | 0 |
| CVE-2026-27695 zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{i... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27699 The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory li... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-2878 In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filena... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-3197 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | — | 0 |
| CVE-2026-3201 USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service | 4.7 | MEDIUM | — | 0 |
| CVE-2026-3202 NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service | 4.7 | MEDIUM | — | 0 |
| CVE-2026-3203 RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service | 5.5 | MEDIUM | — | 0 |
| CVE-2025-1242 The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attack... | 9.1 | CRITICAL | — | 0 |
| CVE-2025-50180 esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websit... | 7.5 | HIGH | — | 0 |
| CVE-2026-22866 Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. In versions 1.6.2 and prior, the `RSASHA256Algorithm` and `RSASHA1Algorithm` contract... | 7.5 | HIGH | — | 0 |
| CVE-2026-27700 Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Ba... | 8.2 | HIGH | — | 0 |
| CVE-2026-27701 LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript inj... | N/A | NONE | — | 0 |
| CVE-2026-27702 Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows a... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-20010 A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the LLDP process to restart, which could cause an... | 7.4 | HIGH | — | 0 |
| CVE-2026-27704 The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub cli... | 7.5 | HIGH | — | 0 |
| CVE-2026-27730 esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to ... | 7.5 | HIGH | — | 0 |
| CVE-2026-27846 Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network to gain access to sensitive information, includi... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-27847 Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27848 Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.20... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3206 Improper Resource Shutdown or Release vulnerability in KrakenD, SLU KrakenD-CE (CircuitBreaker modules), KrakenD, SLU KrakenD-EE (CircuitBreaker modules). This issue affects KrakenD-CE: before 2.13.1;... | N/A | NONE | — | 0 |
| CVE-2026-20048 A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an authenticated, remote attacker to cause a denial of ser... | 7.7 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.