Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-4992 A flaw has been found in wandb OpenUI up to 1.0. This affects the function create_share/get_share of the file backend/openui/server.py of the component HTMLAnnotator Component. Executing a manipulatio... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5031 A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the ar... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33868 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*`... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3115 Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users t... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3139 The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-34738 WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's statu... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5157 A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the arg... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-34595 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permiss... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-32951 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5240 A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. This affects an unknown part of the file /admin_state.php. The manipulation of the argument statename leads t... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4949 The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-40786 Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= ... | 4.3 | MEDIUM | — | 0 |
| CVE-2024-58343 Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6451 The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX del... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-34719 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-34722 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-34837 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a ... | 4.3 | MEDIUM | — | 0 |
| CVE-2023-5872 In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. | 4.3 | MEDIUM | — | 0 |
| CVE-2025-70811 Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-40041 Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changi... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-35596 Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any labe... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6589 A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery.... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6590 A vulnerability was detected in ComfyUI up to 0.13.0. This impacts the function get_model_preview of the file app/model_manager.py of the component Model Preview Endpoint. The manipulation results in ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6591 A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argume... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6601 A vulnerability has been found in Lagom WHMCS Template up to 2.4.2. This impacts an unknown function of the component Datatables. The manipulation leads to resource consumption. Remote exploitation of... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-32202 Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-39851 Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in erro... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4628 A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteRe... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33829 Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5318 A weakness has been identified in LibRaw up to 0.22.0. This impacts the function HuffTable::initval of the file src/decompressors/losslessjpeg.cpp of the component JPEG DHT Parser. This manipulation o... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5624 A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack ma... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23777 Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5911 Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 4.3 | MEDIUM | — | 0 |
| CVE-2026-40729 Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – Embed 3D Mo... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14595 GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticat... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-40841 Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a Cross-Site Request Forgery (CSRF) vulnerability which, if exploited, can lead to unauthorized modification of certain information. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3831 The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5918 Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27857 Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer ti... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27672 The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27676 Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper ... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-59809 A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1166 Open Redirect vulnerability in Hitachi Ops Center Administrator.This issue affects Hitachi Ops Center Administrator: from 10.2.0 before 11.0.8. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3371 The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authoriz... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1262 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33315 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2F... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33313 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the co... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-20061 A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-33118 Microsoft Edge (Chromium-based) Spoofing Vulnerability | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5705 A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affected by this vulnerability is an unknown functionality of the file /booknow.php of the component Booking Endpoint. Such ma... | 4.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.