Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-29093 WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while th... | 8.1 | HIGH | — | 0 |
| CVE-2026-25877 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks bas... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25887 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability vi... | 7.2 | HIGH | — | 0 |
| CVE-2026-25888 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability vi... | 8.8 | HIGH | — | 0 |
| CVE-2026-27005 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27603 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_... | 7.5 | HIGH | — | 0 |
| CVE-2026-27605 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project l... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-28507 Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in v... | 7.2 | HIGH | — | 0 |
| CVE-2026-28508 Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any... | 8.6 | HIGH | — | 0 |
| CVE-2026-28509 LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerabi... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-28675 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Addition... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28676 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did ... | 8.8 | HIGH | — | 0 |
| CVE-2026-28677 OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with ... | 8.2 | HIGH | — | 0 |
| CVE-2026-28679 Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prior to version 1.21.0, when a user requests a download, the application does not verify whether the re... | 8.6 | HIGH | — | 0 |
| CVE-2026-28680 Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sens... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-28682 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload stat... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-28683 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they c... | 8.7 | HIGH | — | 0 |
| CVE-2026-28685 Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28785 Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potent... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-28787 OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, ... | 8.2 | HIGH | — | 0 |
| CVE-2026-28794 oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29060 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to ... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-29061 Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demo... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-28802 Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empt... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-28804 pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-29038 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29039 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via th... | 7.5 | HIGH | — | 0 |
| CVE-2026-29042 Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29048 HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encodin... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29049 melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP c... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-29058 AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Ur... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-29065 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path ... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-29068 PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain mo... | 7.5 | HIGH | — | 0 |
| CVE-2026-29062 jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser... | 7.5 | HIGH | — | 0 |
| CVE-2026-29073 SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even rea... | 8.8 | HIGH | — | 0 |
| CVE-2026-25180 Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to disclose information locally. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-1468 QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with vic... | N/A | NONE | — | 0 |
| CVE-2024-35644 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Langu... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28080 Missing Authorization vulnerability in Rank Math Rank Math SEO PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO PRO: from n/a through 3.0.95... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-28106 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kings Plugins B2BKing Premium allows Phishing.This issue affects B2BKing Premium: from n/a before 5.4.20. | 4.7 | MEDIUM | — | 0 |
| CVE-2026-25181 Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network. | 7.5 | HIGH | — | 0 |
| CVE-2018-25178 Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. Attackers can send POST requests ... | 7.5 | HIGH | — | 0 |
| CVE-2018-25186 Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers can c... | 5.3 | MEDIUM | — | 0 |
| CVE-2018-25187 Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection attacks. Attackers can directly request the kim.db d... | 8.2 | HIGH | — | 0 |
| CVE-2018-25199 OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inj... | 8.2 | HIGH | — | 0 |
| CVE-2018-25200 OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can sub... | 5.3 | MEDIUM | — | 0 |
| CVE-2022-4947 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-32111. Reason: This candidate is a reservation duplicate of CVE-2024-32111. Notes: All CVE users should reference C... | N/A | NONE | — | 0 |
| CVE-2026-1799 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate has been determined not to be a valid vulnerability. Notes: All references and descriptions in this candidate hav... | N/A | NONE | — | 0 |
| CVE-2026-26051 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can con... | 9.4 | CRITICAL | — | 0 |
| CVE-2026-2752 Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return... | 5.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.