Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2025-15500 A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HT... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-22584 Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS:... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-15501 A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipu... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-59057 React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> API... | 7.6 | HIGH | — | 0 |
| CVE-2025-61686 React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorag... | 9.1 | CRITICAL | — | 0 |
| CVE-2025-13774 A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | 8.8 | HIGH | — | 0 |
| CVE-2025-68470 React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navig... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-21884 React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Frame... | 8.2 | HIGH | — | 0 |
| CVE-2026-22029 React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from l... | 8.0 | HIGH | — | 0 |
| CVE-2026-22030 React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document PO... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-61674 October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-0889 Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 7.5 | HIGH | — | 0 |
| CVE-2025-61676 October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration for... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-65090 XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the da... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-65091 XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL i... | 10.0 | CRITICAL | — | 0 |
| CVE-2026-22589 Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was id... | 7.5 | HIGH | — | 0 |
| CVE-2026-22688 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users ... | 9.9 | CRITICAL | — | 0 |
| CVE-2025-41078 Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deleti... | 8.1 | HIGH | — | 0 |
| CVE-2026-22690 pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerabil... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-22691 pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-22689 Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validatio... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22693 HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The functi... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-22699 RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret k... | 7.5 | HIGH | — | 0 |
| CVE-2026-22700 RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret k... | 7.5 | HIGH | — | 0 |
| CVE-2026-22702 virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform syml... | 4.5 | MEDIUM | — | 0 |
| CVE-2026-22703 Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-22704 HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been... | 8.0 | HIGH | — | 0 |
| CVE-2026-22773 vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 visio... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-46070 An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | 9.8 | CRITICAL | — | 0 |
| CVE-2026-22777 ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary ... | 7.5 | HIGH | — | 0 |
| CVE-2025-15502 A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. ... | 7.3 | HIGH | — | 0 |
| CVE-2025-15503 A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. P... | 7.3 | HIGH | — | 0 |
| CVE-2025-52694 Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-41077 IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the us... | 8.1 | HIGH | — | 0 |
| CVE-2025-63314 A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a rep... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-65552 D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or ant... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-65553 D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmi... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-66939 Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | 5.4 | MEDIUM | — | 0 |
| CVE-2025-67813 Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication | 5.3 | MEDIUM | — | 0 |
| CVE-2025-71063 Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | 8.2 | HIGH | — | 0 |
| CVE-2025-46066 An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges | 9.9 | CRITICAL | — | 0 |
| CVE-2025-46067 An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file | 8.2 | HIGH | — | 0 |
| CVE-2025-46068 An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | 8.8 | HIGH | — | 0 |
| CVE-2021-41074 A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. | 5.4 | MEDIUM | — | 0 |
| CVE-2025-66689 A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_da... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-68622 Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) dev... | 6.8 | MEDIUM | — | 0 |
| CVE-2025-68656 Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an over... | 6.8 | MEDIUM | — | 0 |
| CVE-2025-68657 Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event call... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-22033 Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the ap... | 5.4 | MEDIUM | — | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.