Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-5543 A vulnerability was identified in PHPGurukul User Registration & Login and User Management System 3.3. The affected element is an unknown function of the file /admin/yesterday-reg-users.php. The manip... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-5546 A flaw has been found in Campcodes Complete Online Learning Management System 1.0. This impacts the function add_lesson of the file /application/models/Crud_model.php. This manipulation causes unrestr... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-5553 A vulnerability was identified in itsourcecode Online Cellphone System 1.0. Affected by this vulnerability is an unknown functionality of the file /cp/available.php of the component Parameter Handler.... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-39362 InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetch... | 7.1 | HIGH | — | 0 |
| CVE-2026-5554 A security flaw has been discovered in code-projects Concert Ticket Reservation System 1.0. Affected by this issue is some unknown functionality of the file /ConcertTicketReservationSystem-master/proc... | 7.3 | HIGH | — | 0 |
| CVE-2026-39862 Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows u... | 8.8 | HIGH | — | 0 |
| CVE-2026-34018 An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-35496 A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible. | N/A | NONE | — | 0 |
| CVE-2026-6636 A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a manipulatio... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5557 A vulnerability was detected in badlogic pi-mono up to 0.58.4. This issue affects some unknown processing of the file packages/mom/src/slack.ts of the component pi-mom Slack Bot. The manipulation resu... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-5985 A security flaw has been discovered in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /crud.php. The manipulation of the argument user_Id results... | 7.3 | HIGH | — | 0 |
| CVE-2025-59023 Crafted delegations or IP fragments can poison cached delegations in Recursor. | 8.2 | HIGH | — | 0 |
| CVE-2025-59024 Crafted delegations or IP fragments can poison cached delegations in Recursor. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-0398 Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24027 Crafted zones can lead to increased incoming network traffic. | 5.3 | MEDIUM | — | 0 |
| CVE-2025-32092 Insecure inherited permissions for some Intel(R) Graphics Software before version 25.30.1702.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary wi... | 6.7 | MEDIUM | — | 0 |
| CVE-2026-33755 Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/qu... | 8.8 | HIGH | — | 0 |
| CVE-2026-33906 Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file wit... | 7.2 | HIGH | — | 0 |
| CVE-2026-33907 Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34451 Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in th... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-34540 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a heap-buffer-overflow (HBO) in icMemDump() whe... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-34541 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) via a null-pointer memb... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-34542 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack-buffer-overflow (SBO) in CIccCalculator... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-34546 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted TIFF input can trigger Undefined Behavior (UB) due to division by zero ... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-34547 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, an Undefined Behavior (UB) condition in IccUtil.cpp can be triggered by a crafted... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-34548 iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in the XML conversion tooling path ... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-32218 Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-32219 Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | — | 0 |
| CVE-2026-40322 SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the ... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-21719 An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. | N/A | NONE | — | 0 |
| CVE-2026-40458 PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site reque... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-40459 PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP q... | 8.8 | HIGH | — | 0 |
| CVE-2026-39418 MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authentica... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-39420 MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the L... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-39422 MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an app... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-39423 MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-40901 DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTr... | 8.8 | HIGH | — | 0 |
| CVE-2026-40287 PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directo... | 8.4 | HIGH | — | 0 |
| CVE-2026-40289 PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote ses... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-40313 PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/chec... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-40315 PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concaten... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-32165 Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-32181 Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-32195 Stack-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | — | 0 |
| CVE-2026-40499 radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in ... | N/A | NONE | — | 0 |
| CVE-2026-33877 ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/re... | 3.7 | LOW | — | 0 |
| CVE-2026-34943 Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val ... | 7.5 | HIGH | — | 0 |
| CVE-2026-34944 Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranel... | 5.7 | MEDIUM | — | 0 |
| CVE-2026-34945 Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, in... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-34946 Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can resu... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.