CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-33288 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authe... | 8.8 | HIGH | β | 0 |
| CVE-2026-32769 Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to... | N/A | NONE | β | 0 |
| CVE-2026-32771 The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals (i.e. logs, metrics and distributed traces). In versions prior to 0.2.2, the sanitizeArchivePat... | N/A | NONE | β | 0 |
| CVE-2026-4136 The Membership Plugin β Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4468 A vulnerability was determined in Comfast CF-AC100 2.6.0.8. Affected is an unknown function of the file /cgi-bin/mbox-config?method=SET§ion=update_interface_png. This manipulation causes command i... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-4469 A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_edit_menu_action.php. Such m... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-4470 A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_edit_menu.php. Performing a m... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-32938 SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspa... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-4471 A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /admin/admin_edit_employee.php. Executing a manipulation of the argumen... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-22733 Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the Cl... | 8.2 | HIGH | β | 0 |
| CVE-2026-22735 Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).Β This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, ... | 2.6 | LOW | β | 0 |
| CVE-2026-32764 Rejected reason: This repository is no longer public. | N/A | NONE | β | 0 |
| CVE-2026-32765 Rejected reason: This repository is no longer public. | N/A | NONE | β | 0 |
| CVE-2026-23273 In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens aft... | N/A | NONE | β | 0 |
| CVE-2026-32002 OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing att... | 5.3 | MEDIUM | β | 0 |
| CVE-2019-25522 XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers ca... | 8.2 | HIGH | β | 0 |
| CVE-2019-25523 XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GE... | 8.2 | HIGH | β | 0 |
| CVE-2019-25524 XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET r... | 8.2 | HIGH | β | 0 |
| CVE-2019-25540 Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. Attackers... | 8.2 | HIGH | β | 0 |
| CVE-2019-25541 Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. Attackers can inject time-b... | 8.2 | HIGH | β | 0 |
| CVE-2026-32746 telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23268 In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove... | N/A | NONE | β | 0 |
| CVE-2026-20991 Improper privilege management in ThemeManager prior to SMR Mar-2026 Release 1 allows local privileged attackers to reuse trial contents. | 4.4 | MEDIUM | β | 0 |
| CVE-2026-20992 Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application. | 3.3 | LOW | β | 0 |
| CVE-2026-32003 OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-32011 OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signatu... | 7.5 | HIGH | β | 0 |
| CVE-2026-32291 The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins. | 6.8 | MEDIUM | β | 0 |
| CVE-2026-32292 The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials. | 7.5 | HIGH | β | 0 |
| CVE-2026-32293 The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker... | 3.7 | LOW | β | 0 |
| CVE-2026-28282 Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creati... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-29072 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy... | 7.5 | HIGH | β | 0 |
| CVE-2026-32001 OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verifi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32013 OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. A... | 8.8 | HIGH | β | 0 |
| CVE-2026-32014 OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth si... | 8.0 | HIGH | β | 0 |
| CVE-2026-4223 A vulnerability was identified in itsourcecode Payroll Management System 1.0. This issue affects some unknown processing of the file /manage_employee.php. Such manipulation of the argument ID leads to... | 7.3 | HIGH | β | 0 |
| CVE-2025-57543 Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This c... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30711 Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent. | 8.8 | HIGH | β | 0 |
| CVE-2026-32843 Location Aware Sensor System by Linkit ONE, up to commit f06bd20 (2023-04-26), contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbi... | N/A | NONE | β | 0 |
| CVE-2026-22324 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: fr... | 8.1 | HIGH | β | 0 |
| CVE-2026-23100 In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One fu... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-20989 Improper verification of cryptographic signature in Font Settings prior to SMR Mar-2026 Release 1 allows physical attackers to use custom font. | 2.4 | LOW | β | 0 |
| CVE-2026-20990 Improper export of android application components in Secure Folder prior to SMR Mar-2026 Release 1 allows local attackers to launch arbitrary activity with Secure Folder privilege. | 8.1 | HIGH | β | 0 |
| CVE-2025-69783 A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthori... | 7.8 | HIGH | β | 0 |
| CVE-2025-69784 A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a... | 8.8 | HIGH | β | 0 |
| CVE-2025-69768 SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component | 7.5 | HIGH | β | 0 |
| CVE-2026-4253 A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of th... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-4254 A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulatio... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-71257 BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets.... | 7.3 | HIGH | β | 0 |
| CVE-2025-71258 BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the ser... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-71259 BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigge... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.