CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-70310 A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-70656 Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted r... | 7.5 | HIGH | — | 0 |
| CVE-2026-20047 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduc... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-20075 A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a sto... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-20076 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack agains... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-22265 Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticat... | 7.5 | HIGH | — | 0 |
| CVE-2026-23493 Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such... | 8.6 | HIGH | — | 0 |
| CVE-2026-23519 RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumb... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23494 Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23495 Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side autho... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23496 Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint ... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-36911 In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additio... | 7.1 | HIGH | — | 0 |
| CVE-2025-70299 A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-70307 A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 7.5 | HIGH | — | 0 |
| CVE-2025-9014 A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exp... | 7.5 | HIGH | — | 0 |
| CVE-2025-67647 SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service... | 9.1 | CRITICAL | — | 0 |
| CVE-2025-70302 A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-70303 A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-0227 A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the fir... | 7.5 | HIGH | — | 0 |
| CVE-2026-22249 Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/sr... | 7.1 | HIGH | — | 0 |
| CVE-2026-22774 Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume exce... | 7.5 | HIGH | — | 0 |
| CVE-2026-22775 Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume exce... | 7.5 | HIGH | — | 0 |
| CVE-2026-22803 SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a re... | 7.5 | HIGH | — | 0 |
| CVE-2025-15265 An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-65349 A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23511 ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can ex... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23520 Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-23527 H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive che... | 8.9 | HIGH | — | 0 |
| CVE-2026-23622 Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST meth... | 8.8 | HIGH | — | 0 |
| CVE-2026-23766 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | N/A | NONE | — | 0 |
| CVE-2025-52987 A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-C... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-59959 An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to caus... | 5.5 | MEDIUM | — | 0 |
| CVE-2025-67025 Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | 6.1 | MEDIUM | — | 0 |
| CVE-2025-59960 An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhau... | 7.4 | HIGH | — | 0 |
| CVE-2025-59961 An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to writ... | 5.5 | MEDIUM | — | 0 |
| CVE-2025-60003 A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (... | 7.5 | HIGH | — | 0 |
| CVE-2025-60011 An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based at... | 5.8 | MEDIUM | — | 0 |
| CVE-2025-65368 SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | 6.1 | MEDIUM | — | 0 |
| CVE-2025-70890 A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-us... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-70891 A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-su... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-70892 Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parame... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-70893 A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied inp... | 8.8 | HIGH | — | 0 |
| CVE-2026-1002 The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper imp... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-21903 A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-S... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-21909 A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-21905 A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows... | 7.5 | HIGH | — | 0 |
| CVE-2026-21906 An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a... | 7.5 | HIGH | — | 0 |
| CVE-2026-21907 A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confi... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-21908 A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacke... | 7.1 | HIGH | — | 0 |
| CVE-2026-1018 Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system ... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.