Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-35474 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirect has been found in WeGIA webapp. The redirect parameter is taken directly from $_GET with no URL validation or whitelis... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-5359 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | — | 0 |
| CVE-2026-35566 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-3931... | N/A | NONE | — | 0 |
| CVE-2026-35567 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-3932... | N/A | NONE | — | 0 |
| CVE-2026-35523 Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subp... | 7.5 | HIGH | — | 0 |
| CVE-2026-35613 coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe... | 5.1 | MEDIUM | — | 0 |
| CVE-2026-34603 Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the... | 7.1 | HIGH | — | 0 |
| CVE-2026-30867 CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a comprom... | 5.7 | MEDIUM | — | 0 |
| CVE-2026-31931 Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been p... | 7.5 | HIGH | — | 0 |
| CVE-2026-31932 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 an... | 7.5 | HIGH | — | 0 |
| CVE-2026-31933 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been pat... | 7.5 | HIGH | — | 0 |
| CVE-2026-35168 OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict ... | 8.8 | HIGH | — | 0 |
| CVE-2026-5332 A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross... | 3.5 | LOW | — | 0 |
| CVE-2026-5333 A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument host resu... | 7.3 | HIGH | — | 0 |
| CVE-2026-5351 A weakness has been identified in Trendnet TEW-657BRM 1.00.1. This affects the function add_wps_client of the file /setup.cgi. This manipulation of the argument wl_enrolee_pin causes os command inject... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-5352 A security vulnerability has been detected in Trendnet TEW-657BRM 1.00.1. This impacts the function Edit of the file /setup.cgi. Such manipulation of the argument pcdb_list leads to os command injecti... | 6.3 | MEDIUM | — | 0 |
| CVE-2025-54328 An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Mod... | 10.0 | CRITICAL | — | 0 |
| CVE-2026-35200 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-32002 OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing att... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-39325 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users ... | 7.2 | HIGH | — | 0 |
| CVE-2026-39323 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-3932... | N/A | NONE | — | 0 |
| CVE-2026-39341 ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail... | 8.1 | HIGH | — | 0 |
| CVE-2026-39342 ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires a... | 8.8 | HIGH | — | 0 |
| CVE-2026-39351 Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit. | 9.1 | CRITICAL | — | 0 |
| CVE-2026-34200 Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication ... | 7.5 | HIGH | — | 0 |
| CVE-2026-34202 ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated at... | 7.5 | HIGH | — | 0 |
| CVE-2026-0522 A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path dur... | 8.8 | HIGH | — | 0 |
| CVE-2026-34236 Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient ... | 8.2 | HIGH | — | 0 |
| CVE-2026-34543 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive i... | 7.5 | HIGH | — | 0 |
| CVE-2019-25688 Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Attackers can sen... | 8.2 | HIGH | — | 0 |
| CVE-2019-25690 Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_profile_id parameter. Attackers can send crafted r... | 8.2 | HIGH | — | 0 |
| CVE-2019-25696 Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Attackers can submit malicious... | 8.2 | HIGH | — | 0 |
| CVE-2019-25698 Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_to_delete parameter. Attackers can send crafted req... | 8.2 | HIGH | — | 0 |
| CVE-2019-25700 Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort_direction parameter. Attackers can submit malicio... | 8.2 | HIGH | — | 0 |
| CVE-2019-25702 Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_project parameter. Attackers can send crafted reque... | 8.2 | HIGH | — | 0 |
| CVE-2019-25704 Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the filter_user_mail parameter. Attackers can send crafted... | 8.2 | HIGH | — | 0 |
| CVE-2026-32861 There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code... | 7.8 | HIGH | — | 0 |
| CVE-2026-39322 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. Tha... | 8.8 | HIGH | — | 0 |
| CVE-2026-39365 Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls r... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-3566 Rejected reason: After further discussion, the issue was determined to not meet the criteria for CVE assignment. | N/A | NONE | — | 0 |
| CVE-2026-39841 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo E... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-34078 Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at a... | N/A | NONE | — | 0 |
| CVE-2026-34079 Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the ... | 7.5 | HIGH | — | 0 |
| CVE-2026-39937 Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remed... | N/A | NONE | — | 0 |
| CVE-2026-4065 The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versi... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-20628 An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector ... | N/A | NONE | — | 0 |
| CVE-2026-4656 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | — | 0 |
| CVE-2019-25522 XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. Attackers ca... | 8.2 | HIGH | — | 0 |
| CVE-2019-25523 XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GE... | 8.2 | HIGH | — | 0 |
| CVE-2019-25524 XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET r... | 8.2 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.