Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-1298 The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1083 The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 d... | 4.4 | MEDIUM | — | 0 |
| CVE-2025-8072 The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient inpu... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-14610 The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be... | 7.2 | HIGH | — | 0 |
| CVE-2025-13471 The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable Use... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24867 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24866 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24865 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24864 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24863 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24862 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24861 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24860 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-24859 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2026-1514 Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official docu... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1506 A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac ... | 7.2 | HIGH | — | 0 |
| CVE-2026-1513 billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-1505 A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injecti... | 7.2 | HIGH | — | 0 |
| CVE-2026-24852 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24850 The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24842 node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation... | 8.2 | HIGH | — | 0 |
| CVE-2026-24841 Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-termina... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-24840 Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line ... | 8.0 | HIGH | — | 0 |
| CVE-2026-24839 Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This a... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-24838 DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include ... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-21569 This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a... | N/A | NONE | — | 0 |
| CVE-2026-24837 DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name... | 7.6 | HIGH | — | 0 |
| CVE-2026-24836 DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write... | 7.6 | HIGH | — | 0 |
| CVE-2026-24833 DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its descript... | 7.6 | HIGH | — | 0 |
| CVE-2026-24785 Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-24784 DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-24134 StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Managemen... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23830 SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandb... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-67645 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authentic... | 8.8 | HIGH | — | 0 |
| CVE-2025-55292 Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This ... | 8.2 | HIGH | — | 0 |
| CVE-2025-54373 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed t... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24910 In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github). | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24909 vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24783 soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate pro... | 7.5 | HIGH | — | 0 |
| CVE-2026-24779 vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vL... | 7.1 | HIGH | — | 0 |
| CVE-2026-24778 Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authentic... | 8.8 | HIGH | — | 0 |
| CVE-2026-24770 RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to o... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-24765 PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in ... | 7.8 | HIGH | — | 0 |
| CVE-2026-24748 Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed u... | 7.2 | HIGH | — | 0 |
| CVE-2026-24747 PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.... | 8.8 | HIGH | — | 0 |
| CVE-2026-24741 ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unli... | 8.1 | HIGH | — | 0 |
| CVE-2026-24740 Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) ... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-24738 gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resourc... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24736 Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the R... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-1504 Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: ... | 6.5 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.