Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-33577 OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers ... | 8.1 | HIGH | — | 0 |
| CVE-2026-39307 PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting templ... | 8.1 | HIGH | — | 0 |
| CVE-2026-22719 VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMw... | 8.1 | HIGH | KEV | 0 |
| CVE-2026-33949 Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the ... | 8.1 | HIGH | — | 0 |
| CVE-2026-41113 sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c. | 8.1 | HIGH | — | 0 |
| CVE-2026-5282 Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 8.1 | HIGH | — | 0 |
| CVE-2026-4347 The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' fun... | 8.1 | HIGH | — | 0 |
| CVE-2025-54550 The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify X... | 8.1 | HIGH | — | 0 |
| CVE-2026-28119 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nir-vana allows PHP Local File Inclusion.This issue affects... | 8.1 | HIGH | — | 0 |
| CVE-2026-34522 SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version ... | 8.1 | HIGH | — | 0 |
| CVE-2026-34581 goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh f... | 8.1 | HIGH | — | 0 |
| CVE-2026-20155 A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker with low privileges to access sensitive informa... | 8.0 | HIGH | — | 0 |
| CVE-2026-5684 A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the arg... | 8.0 | HIGH | — | 0 |
| CVE-2025-55041 MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any us... | 8.0 | HIGH | — | 0 |
| CVE-2026-35575 ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-cr... | 8.0 | HIGH | — | 0 |
| CVE-2025-24818 Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. | 8.0 | HIGH | — | 0 |
| CVE-2026-32813 Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets a... | 8.0 | HIGH | — | 0 |
| CVE-2026-30814 A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a... | 8.0 | HIGH | — | 0 |
| CVE-2025-33179 NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could run an unauthorized command. A successful exploit of this vulnerability might le... | 8.0 | HIGH | — | 0 |
| CVE-2026-24010 Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deplo... | 8.0 | HIGH | — | 0 |
| CVE-2025-61983 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via... | 8.0 | HIGH | — | 0 |
| CVE-2025-59487 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. Th... | 8.0 | HIGH | — | 0 |
| CVE-2025-59482 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via... | 8.0 | HIGH | — | 0 |
| CVE-2026-21523 Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network. | 8.0 | HIGH | — | 0 |
| CVE-2025-58077 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code vi... | 8.0 | HIGH | — | 0 |
| CVE-2021-35485 The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/applicati... | 8.0 | HIGH | — | 0 |
| CVE-2026-25109 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input i... | 8.0 | HIGH | — | 0 |
| CVE-2026-25195 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmwa... | 8.0 | HIGH | — | 0 |
| CVE-2025-61944 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via... | 8.0 | HIGH | — | 0 |
| CVE-2026-21257 Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network. | 8.0 | HIGH | — | 0 |
| CVE-2026-25037 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously cr... | 8.0 | HIGH | — | 0 |
| CVE-2025-58455 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via... | 8.0 | HIGH | — | 0 |
| CVE-2026-24129 Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system comm... | 8.0 | HIGH | — | 0 |
| CVE-2026-24695 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input... | 8.0 | HIGH | — | 0 |
| CVE-2026-25196 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input int... | 8.0 | HIGH | — | 0 |
| CVE-2026-25105 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious inpu... | 8.0 | HIGH | — | 0 |
| CVE-2026-25111 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input int... | 8.0 | HIGH | — | 0 |
| CVE-2025-7016 Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12. | 8.0 | HIGH | — | 0 |
| CVE-2026-25721 An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input int... | 8.0 | HIGH | — | 0 |
| CVE-2026-20432 In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the atta... | 8.0 | HIGH | — | 0 |
| CVE-2026-28425 Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to ac... | 8.0 | HIGH | — | 0 |
| CVE-2026-21311 Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p... | 8.0 | HIGH | — | 0 |
| CVE-2026-32978 OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain ... | 8.0 | HIGH | — | 0 |
| CVE-2026-4248 The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag ... | 8.0 | HIGH | — | 0 |
| CVE-2026-6290 Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access... | 8.0 | HIGH | — | 0 |
| CVE-2026-30615 A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious ins... | 8.0 | HIGH | — | 0 |
| CVE-2026-22248 GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated techni... | 8.0 | HIGH | — | 0 |
| CVE-2025-24817 Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. | 8.0 | HIGH | — | 0 |
| CVE-2026-32014 OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth si... | 8.0 | HIGH | — | 0 |
| CVE-2026-33826 Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network. | 8.0 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.