CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2023-7340 Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulner... | 3.5 | LOW | β | 0 |
| CVE-2026-30302 The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect us... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-30527 A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30529 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user inp... | 8.8 | HIGH | β | 0 |
| CVE-2026-30530 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30531 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user... | 8.8 | HIGH | β | 0 |
| CVE-2026-30532 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30533 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30534 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter. | 8.3 | HIGH | β | 0 |
| CVE-2026-32983 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cau... | 5.8 | MEDIUM | β | 0 |
| CVE-2026-32984 Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can exploit this vulner... | 3.5 | LOW | β | 0 |
| CVE-2026-4958 A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the comp... | 3.1 | LOW | β | 0 |
| CVE-2026-4959 A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Perfor... | 7.3 | HIGH | β | 0 |
| CVE-2025-15381 In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including... | N/A | NONE | β | 0 |
| CVE-2025-15615 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cau... | 5.8 | MEDIUM | β | 0 |
| CVE-2025-15616 Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through va... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-28367 A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such... | 8.7 | HIGH | β | 0 |
| CVE-2026-28368 A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. Th... | 8.7 | HIGH | β | 0 |
| CVE-2026-28369 A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces.... | 8.7 | HIGH | β | 0 |
| CVE-2026-30569 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" param... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30570 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30571 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30574 A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) excee... | 7.5 | HIGH | β | 0 |
| CVE-2026-30575 A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, a... | 7.5 | HIGH | β | 0 |
| CVE-2026-30576 A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters... | 7.5 | HIGH | β | 0 |
| CVE-2026-33767 WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) fo... | 8.8 | HIGH | β | 0 |
| CVE-2026-33770 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolatin... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33867 WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34245 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming p... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-34247 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any sche... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34362 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented ou... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-34411 Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4960 A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of t... | 8.8 | HIGH | β | 0 |
| CVE-2026-4961 A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipul... | 8.8 | HIGH | β | 0 |
| CVE-2026-4962 A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in unc... | 7.0 | HIGH | β | 0 |
| CVE-2026-4963 A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of th... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-4964 A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the compo... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-15617 Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed to... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-30567 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize t... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30568 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to saniti... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-34364 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34368 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) rac... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4965 A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing... | 7.3 | HIGH | β | 0 |
| CVE-2026-4966 A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID ca... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-4968 A vulnerability was determined in SourceCodester Diary App 1.0. The affected element is an unknown function of the file diary.php. Executing a manipulation can lead to cross-site request forgery. The ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-15612 Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with netwo... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-26060 Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleetβs password management logic could allow previously issued password reset tokens to remain valid after a user ... | 8.8 | HIGH | β | 0 |
| CVE-2026-26061 Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated at... | 7.5 | HIGH | β | 0 |
| CVE-2026-29180 Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their... | 8.8 | HIGH | β | 0 |
| CVE-2018-25211 Allok Video Splitter 3.1.1217 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service or execute arbitrary code by supplying an oversized string in the Licens... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.