Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-24324 SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24323 The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24322 SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vul... | 7.7 | HIGH | — | 0 |
| CVE-2026-24321 SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be public... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24320 Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially craft... | 3.1 | LOW | — | 0 |
| CVE-2026-24319 In SAP Business One, sensitive information is written to the application�s memory dump files without obfuscation. Gaining access to this information could potentially lead to unauthorized operations w... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-24312 An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensiti... | 5.2 | MEDIUM | — | 0 |
| CVE-2026-23689 Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function... | 7.7 | HIGH | — | 0 |
| CVE-2026-23688 SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidenti... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-23687 SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier.... | 8.8 | HIGH | — | 0 |
| CVE-2026-23686 Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If proce... | 3.4 | LOW | — | 0 |
| CVE-2026-23685 Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processe... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-23684 A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value whic... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-23681 Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-0509 SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cas... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-0508 The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim ma... | 7.3 | HIGH | — | 0 |
| CVE-2026-0505 The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-0490 SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from ... | 7.5 | HIGH | — | 0 |
| CVE-2026-0488 An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the abi... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-0486 In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact o... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-0485 SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeat... | 7.5 | HIGH | — | 0 |
| CVE-2026-0484 Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2258 A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to ... | 3.3 | LOW | — | 0 |
| CVE-2026-0845 The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege esca... | 7.2 | HIGH | — | 0 |
| CVE-2025-15314 Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-15313 Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-15310 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | — | 0 |
| CVE-2025-15147 The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'W... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25958 Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privi... | 7.7 | HIGH | — | 0 |
| CVE-2026-25957 Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a C... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25951 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privilege... | 7.2 | HIGH | — | 0 |
| CVE-2026-25939 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attack... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25938 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execut... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25934 go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not p... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25931 vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as t... | 7.8 | HIGH | — | 0 |
| CVE-2026-25895 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locati... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25894 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25893 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrat... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-15319 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | — | 0 |
| CVE-2025-15318 Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25961 SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers... | 7.5 | HIGH | — | 0 |
| CVE-2026-25925 PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App pac... | 7.8 | HIGH | — | 0 |
| CVE-2026-25923 my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validati... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25920 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only ... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25918 unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25892 Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser ... | 7.5 | HIGH | — | 0 |
| CVE-2026-25890 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the... | 8.1 | HIGH | — | 0 |
| CVE-2026-25889 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the passw... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25885 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated clie... | 7.5 | HIGH | — | 0 |
| CVE-2026-25881 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag throug... | 9.0 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.