Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2025-66605 A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Since there are input fields on this webpage with the autocomplete attribute enabled, the input content could... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-66606 A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly encode URLs. An attacker could tamper with web pages or execute malicious scri... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-2650 Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 8.8 | HIGH | — | 0 |
| CVE-2026-25497 Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL AP... | 8.8 | HIGH | — | 0 |
| CVE-2026-25498 Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the asse... | 7.2 | HIGH | — | 0 |
| CVE-2026-25598 Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community T... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25761 Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames.... | 8.8 | HIGH | — | 0 |
| CVE-2026-25892 Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser ... | 7.5 | HIGH | — | 0 |
| CVE-2025-15319 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | — | 0 |
| CVE-2026-25934 go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not p... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25957 Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a C... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25958 Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privi... | 7.7 | HIGH | — | 0 |
| CVE-2025-15310 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. | 7.8 | HIGH | — | 0 |
| CVE-2025-15313 Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25805 Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, when asking for allowance. Further it does not show after the tool was being invoke... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-25947 Worklenz is a project management tool. Prior to 2.1.7, there are multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting project and task management controll... | 8.8 | HIGH | — | 0 |
| CVE-2026-25992 SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file... | 7.5 | HIGH | — | 0 |
| CVE-2026-25993 EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-26003 FastGPT is an AI Agent building platform. From 4.14.0 to 4.14.5, attackers can directly access the plugin system through FastGPT/api/plugin/xxx without authentication, thereby threatening the plugin s... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25319 Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a throu... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1571 User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-13648 An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injec... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-13649 An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could ... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-47205 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerabilit... | 4.9 | MEDIUM | — | 0 |
| CVE-2025-8668 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd.... | 9.4 | CRITICAL | — | 0 |
| CVE-2019-25308 Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code wi... | 7.8 | HIGH | — | 0 |
| CVE-2026-26014 Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for r... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-26019 LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting UR... | 4.1 | MEDIUM | — | 0 |
| CVE-2026-1669 Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensit... | 7.5 | HIGH | — | 0 |
| CVE-2026-20601 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission. | 3.3 | LOW | — | 0 |
| CVE-2026-26216 Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using... | 10.0 | CRITICAL | — | 0 |
| CVE-2026-26217 Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauth... | 8.6 | HIGH | — | 0 |
| CVE-2025-55210 FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticat... | 7.5 | HIGH | — | 0 |
| CVE-2025-61879 In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism. | 7.7 | HIGH | — | 0 |
| CVE-2026-26218 newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset t... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25227 authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping ... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25748 authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Pro... | 8.6 | HIGH | — | 0 |
| CVE-2026-25767 LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user w... | 8.1 | HIGH | — | 0 |
| CVE-2026-25768 LavinMQ is a high-performance message queue & streaming server. Before 2.6.6, an authenticated user could access metadata in the broker they should not have access to. This vulnerability is fixed in 2... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25933 Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from i... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-25322 Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-26069 Scraparr is a Prometheus Exporter for various components of the *arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API k... | 7.5 | HIGH | — | 0 |
| CVE-2026-26075 FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain secu... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-26076 ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enable... | 7.5 | HIGH | — | 0 |
| CVE-2026-26185 Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an inval... | 5.3 | MEDIUM | — | 0 |
| CVE-2019-25321 FTP Navigator 8.03 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) registers. Attackers can craft a malicious ... | 9.8 | CRITICAL | — | 0 |
| CVE-2019-25329 FTP Navigator 8.03 contains a denial of service vulnerability that allows attackers to crash the application by overwriting Structured Exception Handler (SEH) with malicious input. Attackers can gener... | 7.5 | HIGH | — | 0 |
| CVE-2025-48022 A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation. If affected product receives maliciously crafted packets, Vnet/IP software stack process may be t... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-48023 A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation. If affected product receives maliciously crafted packets, Vnet/IP software stack process may be t... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-20796 Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via... | 3.1 | LOW | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.