Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-33635 iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sa... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3190 A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-0814 The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3763 A vulnerability was found in code-projects Simple Flight Ticket Booking System 1.0. The affected element is an unknown function of the file showhistory.php. The manipulation results in cross site scri... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-32122 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25783 Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a spe... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2301 The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` functi... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14742 The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-6393 The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25780 Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exha... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-69752 An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in t... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-11762 The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/adm... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3565 The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-26246 Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memor... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28195 In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14103 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-ro... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24314 Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality o... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3331 The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fou... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3332 The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_sett... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-15509 The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1925 The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in al... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25941 FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the Fre... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2458 Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1747 GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-rol... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1673 The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. T... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-20797 A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1704 The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. Th... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4127 The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_spee... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4143 The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_pl... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2463 Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and re... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4547 A security vulnerability has been detected in mickasmt next-saas-stripe-starter 1.0.0. Affected is the function generateUserStripe of the file actions/generate-user-stripe.ts of the component Checkout... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4557 A vulnerability was detected in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s1.php. Performing a manipulation of the argument sname results in cr... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2230 The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation o... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25003 Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4066 The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and includi... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-15520 The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2826 The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not pro... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3990 A security flaw has been discovered in CesiumGS CesiumJS up to 1.137.0. Affected by this issue is some unknown functionality of the file Apps/Sandcastle/standalone.html. The manipulation of the argume... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24327 Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unau... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28554 wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers expl... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28506 Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1182 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthor... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3234 A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3938 Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML pag... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3927 Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3925 Incorrect security UI in LookalikeChecks in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Mediu... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25318 Missing Authorization vulnerability in Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affe... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23810 A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-address... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23811 A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassing... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23812 A vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway by leveraging an address-based spoofing technique. ... | 4.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.