Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-27148 Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev se... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-27575 Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength req... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27616 Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports J... | 7.3 | HIGH | — | 0 |
| CVE-2026-27819 Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to ... | 7.2 | HIGH | — | 0 |
| CVE-2026-27951 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and serve... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27497 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's S... | 8.8 | HIGH | — | 0 |
| CVE-2026-27498 n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk ... | 8.8 | HIGH | — | 0 |
| CVE-2026-27577 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CV... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-27578 n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts in... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27633 TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers c... | 7.5 | HIGH | — | 0 |
| CVE-2026-27635 Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, ... | 7.5 | HIGH | — | 0 |
| CVE-2026-27709 NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulner... | 6.6 | MEDIUM | — | 0 |
| CVE-2026-27710 NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Applicat... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-27711 NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a memory corruption vulnerability in NanaZip’s UFS parser allows a crafted `.ufs... | 6.6 | MEDIUM | — | 0 |
| CVE-2026-27200 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27201 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27821 GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd... | 7.8 | HIGH | — | 0 |
| CVE-2026-27933 Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cook... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-27967 Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory*... | 7.1 | HIGH | — | 0 |
| CVE-2026-27976 Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validatio... | 8.8 | HIGH | — | 0 |
| CVE-2026-27829 Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27888 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xf... | 7.5 | HIGH | — | 0 |
| CVE-2026-27500 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27501 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27945 ZITADEL is an open source identity management platform. Zitadel Action V2 (introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0) is a webhook based approach to allow developers act on ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27946 ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verif... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1557 The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to... | 7.5 | HIGH | — | 0 |
| CVE-2026-22728 Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrust... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-27887 Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could retu... | N/A | NONE | — | 0 |
| CVE-2026-28136 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.1... | 7.6 | HIGH | — | 0 |
| CVE-2026-27580 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27904 minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extgl... | 7.5 | HIGH | — | 0 |
| CVE-2026-27938 WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injecti... | 7.7 | HIGH | — | 0 |
| CVE-2026-27941 OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out a... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-27942 fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with st... | 7.5 | HIGH | — | 0 |
| CVE-2026-27943 OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27948 Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27582 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27966 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27968 Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27969 Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipu... | 8.8 | HIGH | — | 0 |
| CVE-2026-27970 Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27973 Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that al... | 4.0 | MEDIUM | — | 0 |
| CVE-2025-64999 Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into t... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23999 Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Becaus... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-24004 Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollmen... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25963 Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certi... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27465 Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated use... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27963 Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arb... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-27974 Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows ar... | 4.8 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.