Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-0486 In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact o... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-0485 SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeat... | 7.5 | HIGH | — | 0 |
| CVE-2026-0484 Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2258 A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to ... | 3.3 | LOW | — | 0 |
| CVE-2026-0845 The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege esca... | 7.2 | HIGH | — | 0 |
| CVE-2025-15314 Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-15313 Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-15310 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | — | 0 |
| CVE-2025-15147 The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'W... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25958 Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privi... | 7.7 | HIGH | — | 0 |
| CVE-2026-25957 Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a C... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25951 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privilege... | 7.2 | HIGH | — | 0 |
| CVE-2026-25939 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attack... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25938 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execut... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25934 go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not p... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25931 vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as t... | 7.8 | HIGH | — | 0 |
| CVE-2026-25895 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locati... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25894 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25893 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrat... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-15319 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | — | 0 |
| CVE-2025-15318 Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25961 SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers... | 7.5 | HIGH | — | 0 |
| CVE-2026-25925 PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App pac... | 7.8 | HIGH | — | 0 |
| CVE-2026-25923 my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validati... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25920 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only ... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25918 unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25892 Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser ... | 7.5 | HIGH | — | 0 |
| CVE-2026-25890 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the... | 8.1 | HIGH | — | 0 |
| CVE-2026-25889 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the passw... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25885 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated clie... | 7.5 | HIGH | — | 0 |
| CVE-2026-25881 SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag throug... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-25880 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the use... | 7.8 | HIGH | — | 0 |
| CVE-2026-25875 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforc... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25814 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without v... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25813 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction. | 7.5 | HIGH | — | 0 |
| CVE-2026-25812 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanis... | 8.8 | HIGH | — | 0 |
| CVE-2026-25811 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, wit... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25808 Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts we... | 7.5 | HIGH | — | 0 |
| CVE-2026-25807 ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 wi... | 8.8 | HIGH | — | 0 |
| CVE-2025-15317 Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15316 Tanium addressed a local privilege escalation vulnerability in Tanium Server. | 6.7 | MEDIUM | — | 0 |
| CVE-2025-15315 Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. | 6.7 | MEDIUM | — | 0 |
| CVE-2026-25878 FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_re... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25876 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level autho... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25810 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25809 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing executio... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25806 PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes i... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25791 Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessi... | 7.5 | HIGH | — | 0 |
| CVE-2026-25765 Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby'... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-25761 Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames.... | 8.8 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.