Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2025-14844 The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_car... | 8.2 | HIGH | — | 0 |
| CVE-2026-21535 Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network. | 8.2 | HIGH | — | 0 |
| CVE-2020-37035 e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject... | 8.2 | HIGH | — | 0 |
| CVE-2019-25493 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requ... | 8.2 | HIGH | — | 0 |
| CVE-2019-25359 SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit ... | 8.2 | HIGH | — | 0 |
| CVE-2020-37033 Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulne... | 8.2 | HIGH | — | 0 |
| CVE-2026-2007 Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we ... | 8.2 | HIGH | — | 0 |
| CVE-2020-37151 phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolea... | 8.2 | HIGH | — | 0 |
| CVE-2021-47777 Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads li... | 8.2 | HIGH | — | 0 |
| CVE-2020-37057 Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious S... | 8.2 | HIGH | — | 0 |
| CVE-2020-37051 Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' end... | 8.2 | HIGH | — | 0 |
| CVE-2025-71057 Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. | 8.2 | HIGH | — | 0 |
| CVE-2025-40932 Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 retu... | 8.2 | HIGH | — | 0 |
| CVE-2026-23857 Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local acc... | 8.2 | HIGH | — | 0 |
| CVE-2026-22022 Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict ... | 8.2 | HIGH | — | 0 |
| CVE-2019-25489 Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET ... | 8.2 | HIGH | — | 0 |
| CVE-2019-25490 Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET reques... | 8.2 | HIGH | — | 0 |
| CVE-2025-9986 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation.This issue affects DIGIKENT: through ... | 8.2 | HIGH | — | 0 |
| CVE-2019-25491 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requ... | 8.2 | HIGH | — | 0 |
| CVE-2019-25492 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET reque... | 8.2 | HIGH | — | 0 |
| CVE-2025-25210 Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary wit... | 8.2 | HIGH | — | 0 |
| CVE-2026-28406 kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives u... | 8.2 | HIGH | — | 0 |
| CVE-2026-28562 wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers ... | 8.2 | HIGH | — | 0 |
| CVE-2025-59023 Crafted delegations or IP fragments can poison cached delegations in Recursor. | 8.2 | HIGH | — | 0 |
| CVE-2026-25636 calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre... | 8.2 | HIGH | — | 0 |
| CVE-2026-21532 Azure Function Information Disclosure Vulnerability | 8.2 | HIGH | — | 0 |
| CVE-2026-24843 melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside ... | 8.2 | HIGH | — | 0 |
| CVE-2020-37083 PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL... | 8.2 | HIGH | — | 0 |
| CVE-2020-37110 60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulne... | 8.2 | HIGH | — | 0 |
| CVE-2020-36999 Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by ... | 8.2 | HIGH | — | 0 |
| CVE-2026-33941 Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates us... | 8.2 | HIGH | — | 0 |
| CVE-2018-25202 SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit ... | 8.2 | HIGH | — | 0 |
| CVE-2018-25185 Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers ... | 8.2 | HIGH | — | 0 |
| CVE-2026-33009 EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memory corruption). This is triggered by an MQTT `everest_external/nodered/{connecto... | 8.2 | HIGH | — | 0 |
| CVE-2026-31788 In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space proce... | 8.2 | HIGH | — | 0 |
| CVE-2026-35091 A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User ... | 8.2 | HIGH | — | 0 |
| CVE-2018-25195 Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submi... | 8.2 | HIGH | — | 0 |
| CVE-2026-32877 Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value... | 8.2 | HIGH | — | 0 |
| CVE-2026-4924 Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authenticati... | 8.2 | HIGH | — | 0 |
| CVE-2026-33979 Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerabili... | 8.2 | HIGH | — | 0 |
| CVE-2018-25210 WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQ... | 8.2 | HIGH | — | 0 |
| CVE-2026-34725 DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML... | 8.2 | HIGH | — | 0 |
| CVE-2024-44250 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. An app may be able to execute arbitrary code out of its sandbox or with certain elevated priv... | 8.2 | HIGH | — | 0 |
| CVE-2026-4828 Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted... | 8.2 | HIGH | — | 0 |
| CVE-2026-34375 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript... | 8.2 | HIGH | — | 0 |
| CVE-2026-32811 Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of th... | 8.2 | HIGH | — | 0 |
| CVE-2018-25192 GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can subm... | 8.2 | HIGH | — | 0 |
| CVE-2018-25194 Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can se... | 8.2 | HIGH | — | 0 |
| CVE-2018-25196 ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST ... | 8.2 | HIGH | — | 0 |
| CVE-2018-25197 PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can se... | 8.2 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.