CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-33073 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptio... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33415 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderato... | 2.7 | LOW | β | 0 |
| CVE-2026-1263 The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and miss... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1924 The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25203 Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability This issue affects MagicINFO 9 Server: less than 21.1091.1. | 7.8 | HIGH | β | 0 |
| CVE-2026-5999 A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6000 A vulnerability was found in code-projects Online Library Management System 1.0. Affected is an unknown function of the file /sql/library.sql of the component SQL Database Backup File Handler. Perform... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6003 A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument fn... | 2.4 | LOW | β | 0 |
| CVE-2026-6004 A vulnerability was detected in code-projects Simple IT Discussion Forum 1.0. Impacted is an unknown function of the file /delete-category.php. Performing a manipulation of the argument cat_id results... | 7.3 | HIGH | β | 0 |
| CVE-2026-2305 The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5188 An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclos... | N/A | NONE | β | 0 |
| CVE-2026-5466 wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged s... | N/A | NONE | β | 0 |
| CVE-2026-6011 A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler... | 5.6 | MEDIUM | β | 0 |
| CVE-2026-6012 A security vulnerability has been detected in D-Link DIR-513 1.10. This affects the function formSetPassword of the file /goform/formSetPassword of the component POST Request Handler. The manipulation... | 8.8 | HIGH | β | 0 |
| CVE-2026-6013 A vulnerability was detected in D-Link DIR-513 1.10. This vulnerability affects the function formSetRoute of the file /goform/formSetRoute of the component POST Request Handler. The manipulation of th... | 8.8 | HIGH | β | 0 |
| CVE-2026-6014 A flaw has been found in D-Link DIR-513 1.10. This issue affects the function formAdvanceSetup of the file /goform/formAdvanceSetup of the component POST Request Handler. This manipulation of the argu... | 8.8 | HIGH | β | 0 |
| CVE-2026-5477 An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used theΒ guard `if (cmac->totalSz != 0)` to skip XOR-chaining o... | N/A | NONE | β | 0 |
| CVE-2026-6015 A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument... | 8.8 | HIGH | β | 0 |
| CVE-2026-6033 A vulnerability was determined in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /updatedetailsfromstudent.php?eno=146891650. Executing a manipulation of the argument fnam... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6034 A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /BranchManagement/ProfitAndLossReport.php. Executing a manipulation of the ar... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6035 A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipul... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33455 Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in sea... | N/A | NONE | β | 0 |
| CVE-2026-33456 Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via ... | N/A | NONE | β | 0 |
| CVE-2026-33457 Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name paramete... | N/A | NONE | β | 0 |
| CVE-2026-6036 A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the arg... | 7.3 | HIGH | β | 0 |
| CVE-2026-6037 A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRA... | 7.3 | HIGH | β | 0 |
| CVE-2026-6038 A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0. This impacts an unknown function of the file /util/RegisterCustomerFunction.php. Such manipulation of the argume... | 7.3 | HIGH | β | 0 |
| CVE-2026-4679 Integer overflow in Fonts in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-4738 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.... | N/A | NONE | β | 0 |
| CVE-2026-4742 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in visualfc liteide (liteidex/src/3rdparty/qjsonrpc/src/http-parser modules). This vulnerability is assoc... | N/A | NONE | β | 0 |
| CVE-2026-4640 Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information. | 7.5 | HIGH | β | 0 |
| CVE-2026-33252 The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` he... | 7.1 | HIGH | β | 0 |
| CVE-2026-33283 Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing malformed UL NAS Transport NAS messages without a Request Type. An attacker able to send crafted NAS... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-3029 A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5. | 7.5 | HIGH | β | 0 |
| CVE-2026-30403 There is an arbitrary file read vulnerability in the test connection function of backend database management in wgcloud v3.6.3 and before, which can be used to read any file on the victim's server. | 7.5 | HIGH | β | 0 |
| CVE-2025-67112 Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authentica... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69720 The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. | 7.3 | HIGH | β | 0 |
| CVE-2026-4749 NVD-CWE-noinfo vulnerability in albfan miraclecast.This issue affects miraclecast: before v1.0. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25400 Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0. | 8.8 | HIGH | β | 0 |
| CVE-2026-25429 Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25397 Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n... | 7.5 | HIGH | β | 0 |
| CVE-2026-25398 Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25396 Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooCommerce commerce-coinbase-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue... | 7.5 | HIGH | β | 0 |
| CVE-2026-27084 Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-29092 Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-2745 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass We... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-31913 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16. | 8.6 | HIGH | β | 0 |
| CVE-2026-32502 Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2414 Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-40071 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permiss... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.