CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-59892 Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions... | 8.0 | HIGH | β | 0 |
| CVE-2025-59893 Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions... | 8.0 | HIGH | β | 0 |
| CVE-2025-59894 Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions... | 8.0 | HIGH | β | 0 |
| CVE-2025-59895 Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insuffi... | 7.5 | HIGH | β | 0 |
| CVE-2025-59896 Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an au... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-13917 WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevate... | 7.0 | HIGH | β | 0 |
| CVE-2025-59897 Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an au... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59898 Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an au... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59899 Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an au... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59900 Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an au... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59901 Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent b... | N/A | NONE | β | 0 |
| CVE-2026-0483 Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload,... | N/A | NONE | β | 0 |
| CVE-2025-13918 Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may a... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-1280 The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and incl... | 7.5 | HIGH | β | 0 |
| CVE-2026-1377 The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. Th... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1380 The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settin... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1391 The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1398 The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1399 The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization ... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-13919 Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to es... | 4.4 | MEDIUM | β | 0 |
| CVE-2020-36984 EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path i... | 7.8 | HIGH | β | 0 |
| CVE-2020-36985 IP Watcher 3.0.0.30 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binar... | 7.8 | HIGH | β | 0 |
| CVE-2020-36986 Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to i... | 7.8 | HIGH | β | 0 |
| CVE-2020-36987 Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unqu... | 7.8 | HIGH | β | 0 |
| CVE-2020-36988 PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. ... | 5.4 | MEDIUM | β | 0 |
| CVE-2020-36989 ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can ex... | 7.8 | HIGH | β | 0 |
| CVE-2020-36990 Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit th... | 7.8 | HIGH | β | 0 |
| CVE-2020-36991 ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure serv... | 7.8 | HIGH | β | 0 |
| CVE-2020-36992 Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binar... | 7.8 | HIGH | β | 0 |
| CVE-2020-36993 LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[t... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14865 The Passster β Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1056 The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and includin... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14795 The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlis... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1060 The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The e... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1237 Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is i... | N/A | NONE | β | 0 |
| CVE-2025-65886 A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes. | 7.5 | HIGH | β | 0 |
| CVE-2026-1520 A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting.... | 2.4 | LOW | β | 0 |
| CVE-2025-57283 The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. | 7.8 | HIGH | β | 0 |
| CVE-2025-58150 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That si... | 8.8 | HIGH | β | 0 |
| CVE-2025-61140 The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69517 An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/new... | 8.8 | HIGH | β | 0 |
| CVE-2025-70336 A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' an... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-23553 In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents ... | 2.9 | LOW | β | 0 |
| CVE-2025-65888 A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value. | 7.5 | HIGH | β | 0 |
| CVE-2025-65889 A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 7.5 | HIGH | β | 0 |
| CVE-2025-65890 A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index. | 7.5 | HIGH | β | 0 |
| CVE-2026-24685 OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProjectβs repository diff download endpoint ... | 8.8 | HIGH | β | 0 |
| CVE-2020-36943 aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,0... | 7.5 | HIGH | β | 0 |
| CVE-2020-36944 ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a s... | 4.0 | MEDIUM | β | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.