Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2025-50195 Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in versio... | 7.2 | HIGH | — | 0 |
| CVE-2025-50194 Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. This issue has been patched in version 1.11.3... | 7.2 | HIGH | — | 0 |
| CVE-2025-69299 Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8. | 7.2 | HIGH | — | 0 |
| CVE-2025-50193 Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This is... | 7.2 | HIGH | — | 0 |
| CVE-2026-2568 The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission data in all versions up to, and ... | 7.2 | HIGH | — | 0 |
| CVE-2026-1506 A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac ... | 7.2 | HIGH | — | 0 |
| CVE-2025-50191 Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched i... | 7.2 | HIGH | — | 0 |
| CVE-2025-14610 The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be... | 7.2 | HIGH | — | 0 |
| CVE-2026-20416 In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User in... | 7.2 | HIGH | — | 0 |
| CVE-2026-3342 An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an authenticated privileged administrator to execute arbitrary code with root permissions via an exposed management interface. ... | 7.2 | HIGH | — | 0 |
| CVE-2026-20205 In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session... | 7.2 | HIGH | — | 0 |
| CVE-2025-36184 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unn... | 7.2 | HIGH | — | 0 |
| CVE-2025-14554 The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to... | 7.2 | HIGH | — | 0 |
| CVE-2025-63909 Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write... | 7.2 | HIGH | — | 0 |
| CVE-2025-63910 An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administrator privileges to execute arbitrary code via uploa... | 7.2 | HIGH | — | 0 |
| CVE-2025-67840 Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints ... | 7.2 | HIGH | — | 0 |
| CVE-2026-22224 A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attack... | 7.2 | HIGH | — | 0 |
| CVE-2026-0617 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and includi... | 7.2 | HIGH | — | 0 |
| CVE-2026-1065 The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist inclu... | 7.2 | HIGH | — | 0 |
| CVE-2020-37072 Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript pa... | 7.2 | HIGH | — | 0 |
| CVE-2020-37084 School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers ca... | 7.2 | HIGH | — | 0 |
| CVE-2026-2440 The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization... | 7.2 | HIGH | — | 0 |
| CVE-2026-1648 The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in ... | 7.2 | HIGH | — | 0 |
| CVE-2026-34188 Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800 | 7.2 | HIGH | — | 0 |
| CVE-2026-3368 The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input s... | 7.2 | HIGH | — | 0 |
| CVE-2025-11730 A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versi... | 7.2 | HIGH | — | 0 |
| CVE-2026-32414 Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a t... | 7.2 | HIGH | — | 0 |
| CVE-2026-2084 A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os comma... | 7.2 | HIGH | — | 0 |
| CVE-2026-2085 A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulati... | 7.2 | HIGH | — | 0 |
| CVE-2026-2118 A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation ... | 7.2 | HIGH | — | 0 |
| CVE-2026-2120 A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of... | 7.2 | HIGH | — | 0 |
| CVE-2026-2142 A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420688 of the file /goform/set_qos. Executing a manipulation can lead to os command injection. The... | 7.2 | HIGH | — | 0 |
| CVE-2026-2143 A security vulnerability has been detected in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/set_ddns of the component DDNS Service. The manipulation of the arg... | 7.2 | HIGH | — | 0 |
| CVE-2026-2175 A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420618 of the file /goform/set_upnp. This manipulation of the argument upnp_enable causes os comma... | 7.2 | HIGH | — | 0 |
| CVE-2026-3231 The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the Woo... | 7.2 | HIGH | — | 0 |
| CVE-2026-1261 The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output esc... | 7.2 | HIGH | — | 0 |
| CVE-2026-0845 The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege esca... | 7.2 | HIGH | — | 0 |
| CVE-2025-15440 The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanit... | 7.2 | HIGH | — | 0 |
| CVE-2026-27819 Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to ... | 7.2 | HIGH | — | 0 |
| CVE-2026-27624 Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CV... | 7.2 | HIGH | — | 0 |
| CVE-2026-1843 The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and outpu... | 7.2 | HIGH | — | 0 |
| CVE-2026-1273 The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the `/ultp/v... | 7.2 | HIGH | — | 0 |
| CVE-2026-22766 Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Unrestricted Upload of File with Dangerous Type vulnerability. A high privileged attacker with remote access could potentially exploit... | 7.2 | HIGH | — | 0 |
| CVE-2026-2615 A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument del... | 7.2 | HIGH | — | 0 |
| CVE-2026-1931 The Rent Fetch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'keyword' parameter in all versions up to, and including, 0.32.4 due to insufficient input sanitization and out... | 7.2 | HIGH | — | 0 |
| CVE-2026-1459 A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated a... | 7.2 | HIGH | — | 0 |
| CVE-2026-24748 Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed u... | 7.2 | HIGH | — | 0 |
| CVE-2026-3876 The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient in... | 7.2 | HIGH | — | 0 |
| CVE-2026-28209 FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Te... | 7.2 | HIGH | — | 0 |
| CVE-2026-26046 A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled a... | 7.2 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.