Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-25235 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verif... | 7.5 | HIGH | — | 0 |
| CVE-2026-25236 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25237 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25489 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25490 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25502 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in ic... | 7.8 | HIGH | — | 0 |
| CVE-2026-25503 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ... | 7.1 | HIGH | — | 0 |
| CVE-2020-37066 GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially craft... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-24434 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24441 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25614 Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 7.5 | HIGH | — | 0 |
| CVE-2026-25615 Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | 7.2 | HIGH | — | 0 |
| CVE-2026-25616 Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. | 4.7 | MEDIUM | — | 0 |
| CVE-2025-65077 A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code... | N/A | NONE | — | 0 |
| CVE-2025-65078 An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. | N/A | NONE | — | 0 |
| CVE-2025-65079 A heap-based buffer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as... | N/A | NONE | — | 0 |
| CVE-2025-65080 A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivil... | N/A | NONE | — | 0 |
| CVE-2025-65081 An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unp... | N/A | NONE | — | 0 |
| CVE-2020-37067 Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 by... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-37070 CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a spe... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-37072 Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript pa... | 7.2 | HIGH | — | 0 |
| CVE-2020-37073 Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malici... | 8.8 | HIGH | — | 0 |
| CVE-2020-37074 Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malic... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-37075 LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious paylo... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-37076 Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability ... | 8.2 | HIGH | — | 0 |
| CVE-2020-37077 Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploi... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25150 Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The functio... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-25151 Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote att... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25155 Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-25223 Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Ty... | 7.5 | HIGH | — | 0 |
| CVE-2026-25224 Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust... | 3.7 | LOW | — | 0 |
| CVE-2026-25509 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementati... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-20984 Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information. | N/A | NONE | — | 0 |
| CVE-2026-21393 Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note t... | N/A | NONE | — | 0 |
| CVE-2026-22875 Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note t... | N/A | NONE | — | 0 |
| CVE-2026-23704 A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Typ... | N/A | NONE | — | 0 |
| CVE-2026-24447 If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedde... | N/A | NONE | — | 0 |
| CVE-2026-1819 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPor... | 8.8 | HIGH | — | 0 |
| CVE-2025-15268 The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficien... | 7.5 | HIGH | — | 0 |
| CVE-2025-59818 This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. | 10.0 | CRITICAL | — | 0 |
| CVE-2026-0873 On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with know... | N/A | NONE | — | 0 |
| CVE-2026-24735 Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes... | 7.5 | HIGH | — | 0 |
| CVE-2025-14740 Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this direc... | 6.7 | MEDIUM | — | 0 |
| CVE-2025-5329 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection.This issue affects Delta Cours... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-70997 A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | 6.5 | MEDIUM | — | 0 |
| CVE-2024-21953 Improper input validation in IOMMU could allow a malicious hypervisor to reconfigure IOMMU registers resulting in loss of guest data integrity. | N/A | NONE | — | 0 |
| CVE-2026-23045 In the Linux kernel, the following vulnerability has been resolved: net/ena: fix missing lock when update devlink params Fix assert lock warning while calling devl_param_driverinit_value_set() in en... | N/A | NONE | — | 0 |
| CVE-2026-23046 In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_... | N/A | NONE | — | 0 |
| CVE-2026-23047 In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be ... | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.