Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2025-69848 NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the Protec... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-69875 A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged... | 7.8 | HIGH | — | 0 |
| CVE-2025-69970 FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with aut... | 9.3 | CRITICAL | — | 0 |
| CVE-2025-69981 FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbi... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-69983 FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attac... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-70311 JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-70559 pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An att... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-70758 chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.p... | 7.5 | HIGH | — | 0 |
| CVE-2026-20981 Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege. | 6.6 | MEDIUM | — | 0 |
| CVE-2025-70841 Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-70849 Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-71179 Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bund... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-22220 A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device’s web service to become unresponsive, resulting... | 4.5 | MEDIUM | — | 0 |
| CVE-2026-22228 An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Re... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-24664 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identif... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-20982 Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege. | 6.0 | MEDIUM | — | 0 |
| CVE-2026-24665 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 8.7 | HIGH | — | 0 |
| CVE-2026-24666 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24667 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existi... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-24668 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add conte... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24669 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid pas... | 7.8 | HIGH | — | 0 |
| CVE-2026-24670 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create ne... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24671 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-priv... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24672 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 7.3 | HIGH | — | 0 |
| CVE-2026-24673 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files w... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24674 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to ... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-24773 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated ... | 7.5 | HIGH | — | 0 |
| CVE-2026-24774 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark ... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-52623 HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of se... | 3.7 | LOW | — | 0 |
| CVE-2026-0620 When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing... | N/A | NONE | — | 0 |
| CVE-2026-24426 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses with... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24427 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, ar... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25233 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps.... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25234 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category m... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25235 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verif... | 7.5 | HIGH | — | 0 |
| CVE-2026-25236 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25237 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25239 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker ca... | 7.5 | HIGH | — | 0 |
| CVE-2026-25240 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an arra... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25241 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to e... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25482 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25483 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message.... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25488 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25484 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displa... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25485 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25486 Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25487 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2020-37065 StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a m... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25489 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25490 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.