CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-32734 baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3. | 7.1 | HIGH | β | 0 |
| CVE-2026-4794 Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10Β allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This c... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-5115 The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs dir... | 7.5 | HIGH | β | 0 |
| CVE-2026-3300 The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_fi... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-4020 The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp... | 7.5 | HIGH | β | 0 |
| CVE-2026-5176 A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provide... | 7.3 | HIGH | β | 0 |
| CVE-2026-32714 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to co... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-32716 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a t... | 8.1 | HIGH | β | 0 |
| CVE-2026-32727 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope c... | 8.1 | HIGH | β | 0 |
| CVE-2026-33997 Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Du... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-34036 Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34040 Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patch... | 8.8 | HIGH | β | 0 |
| CVE-2026-34041 act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disab... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-34042 act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can conne... | 8.2 | HIGH | β | 0 |
| CVE-2026-34043 Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When seri... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-34054 vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later o... | 7.8 | HIGH | β | 0 |
| CVE-2026-34060 Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpola... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-34070 LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34073 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child cert... | N/A | NONE | β | 0 |
| CVE-2026-5177 A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of t... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5178 A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argume... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-1710 The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1797 The Appointment Booking and Scheduler Plugin β Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4146 The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βupdate_hrefβ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitizati... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-5179 A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sq... | 7.3 | HIGH | β | 0 |
| CVE-2026-5180 A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=login2. This manipulation of the argument emai... | 7.3 | HIGH | β | 0 |
| CVE-2026-5181 A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctors_appointment/admin/ajax.php?action=save_cat... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-1834 The Ibtana β WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insuffici... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1877 The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' f... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34881 OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and r... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-5182 A vulnerability was found in SourceCodester Teacher Record System 1.0. Impacted is an unknown function of the file Teacher Record System of the component Parameter Handler. Performing a manipulation o... | 7.3 | HIGH | β | 0 |
| CVE-2026-5183 A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The affected element is the function sub_421494 of the file /goform/addRouting. Executing a manipulation of the argument dest can lead ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3881 The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks | 5.8 | MEDIUM | β | 0 |
| CVE-2026-5184 A vulnerability was identified in TRENDnet TEW-713RE up to 1.02. The impacted element is an unknown function of the file /goform/setSysAdm. The manipulation of the argument admuser leads to command in... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5185 A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulat... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5186 A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-10551 A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows a... | 8.7 | HIGH | β | 0 |
| CVE-2025-10553 A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows a... | 8.7 | HIGH | β | 0 |
| CVE-2025-10559 A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read ... | 7.1 | HIGH | β | 0 |
| CVE-2025-41355 Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a maliciou... | N/A | NONE | β | 0 |
| CVE-2025-41356 Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious ... | N/A | NONE | β | 0 |
| CVE-2025-41357 Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious ... | N/A | NONE | β | 0 |
| CVE-2026-3106 Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseΓ±a' parameter of the login form 'redacted/index.php'. During f... | N/A | NONE | β | 0 |
| CVE-2026-3107 Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The applicatio... | N/A | NONE | β | 0 |
| CVE-2026-5195 A flaw has been found in code-projects Student Membership System 1.0. This issue affects some unknown processing of the component User Registration Handler. Executing a manipulation can lead to sql in... | 7.3 | HIGH | β | 0 |
| CVE-2026-5196 A vulnerability has been found in code-projects Student Membership System 1.0. Impacted is an unknown function of the file /delete_member.php. The manipulation of the argument ID leads to sql injectio... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5201 A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a special... | 7.5 | HIGH | β | 0 |
| CVE-2026-4317 SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the dat... | N/A | NONE | β | 0 |
| CVE-2026-5197 A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql i... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-7741 Hardcoded Password Vulnerability have been found in CENTUM.Β Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the ... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.