Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-33742 Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stor... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-33044 Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious n... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-3369 The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insuffici... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-39426 MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <ifr... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-15445 The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged opera... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-4332 GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-33119 User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-39425 MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and Jav... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-34475 Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or auth... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-33726 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pod... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-34051 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, a... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25609 Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-3063 Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27119 svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially al... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27121 svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes f... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27122 svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted in... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-0999 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25051 n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpo... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25054 n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, i... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-9208 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute mal... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-64999 Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into t... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-24050 Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting the... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27948 Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27792 Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and pri... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23619 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$Conte... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-59903 Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, ... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-59904 Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and execut... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27902 Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-67491 OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 h... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-26059 ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would exec... | 5.4 | MEDIUM | — | 0 |
| CVE-2019-25400 IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters incl... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23614 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScrip... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23606 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScr... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27147 GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload funct... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23605 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23604 GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in th... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-2127 The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check o... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-14282 A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to th... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25422 Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27578 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts in... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25337 Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5. | 5.4 | MEDIUM | — | 0 |
| CVE-2025-67856 A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This co... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-2694 The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all ... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-14895 The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to acces... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-71240 SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicio... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25473 Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WZone: from n/a through <= 14.0.31. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23476 FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Tw... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-2997 Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25311 Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25322 Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.... | 5.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.