Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-32730 ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incor... | 8.1 | HIGH | — | 0 |
| CVE-2025-15031 A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path valid... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-4407 Out-of-bounds array write in Xpdf 4.06 and earlier, due to incorrect validation of the "N" field in ICCBased color spaces. | N/A | NONE | — | 0 |
| CVE-2026-33163 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is register... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33042 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-32944 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server proce... | 7.5 | HIGH | — | 0 |
| CVE-2026-32943 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use gua... | 3.1 | LOW | — | 0 |
| CVE-2026-32886 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling... | 7.5 | HIGH | — | 0 |
| CVE-2026-32878 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist ... | 7.5 | HIGH | — | 0 |
| CVE-2026-32770 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32742 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-32728 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the fi... | 7.6 | HIGH | — | 0 |
| CVE-2026-32723 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string h... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-32722 Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no esca... | 3.6 | LOW | — | 0 |
| CVE-2026-32703 OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from ... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-32698 OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When tha... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-32700 Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-32638 StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter... | 2.7 | LOW | — | 0 |
| CVE-2026-32636 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-32321 ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the `actions/ajax.php` endpoint. Du... | 8.8 | HIGH | — | 0 |
| CVE-2026-31973 SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are com... | 7.5 | HIGH | — | 0 |
| CVE-2026-31972 SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output li... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25873 OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST req... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25745 OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) upda... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-4396 Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification. | 8.1 | HIGH | — | 0 |
| CVE-2026-31971 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. When... | 8.1 | HIGH | — | 0 |
| CVE-2026-31970 HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it was... | 8.1 | HIGH | — | 0 |
| CVE-2026-31969 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. Whe... | 8.1 | HIGH | — | 0 |
| CVE-2026-31968 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For ... | 8.1 | HIGH | — | 0 |
| CVE-2026-31967 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while readin... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-31966 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses refer... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-0866 Rejected reason: After the publication of the PoC by the researcher and further analysis, we have determined that this issue does not constitute a valid vulnerability. The technique described is an ob... | N/A | NONE | — | 0 |
| CVE-2026-3479 DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. T... | N/A | NONE | — | 0 |
| CVE-2026-31965 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while readin... | 8.2 | HIGH | — | 0 |
| CVE-2026-31964 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. Whi... | 7.5 | HIGH | — | 0 |
| CVE-2026-31963 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses refer... | 8.1 | HIGH | — | 0 |
| CVE-2025-58112 Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; thi... | 8.8 | HIGH | — | 0 |
| CVE-2026-32634 Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address ... | 8.1 | HIGH | — | 0 |
| CVE-2026-32633 Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-32632 Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI applicati... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-32611 Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use par... | 7.0 | HIGH | — | 0 |
| CVE-2026-31962 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quali... | 8.8 | HIGH | — | 0 |
| CVE-2026-30704 The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB | 9.1 | CRITICAL | — | 0 |
| CVE-2026-30703 A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input pr... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30702 The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication mechanism in its web management interface. The login page does not properly enforce session validation, al... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-30701 The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-30048 A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat convers... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-29859 An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29858 A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure. | 7.5 | HIGH | — | 0 |
| CVE-2026-29856 An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input. | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.