Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-26047 A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27198 Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the... | 8.8 | HIGH | — | 0 |
| CVE-2019-25439 NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can cra... | 8.2 | HIGH | — | 0 |
| CVE-2026-27199 Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previou... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27205 Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Us... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27210 Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, includin... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27211 Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-bl... | 10.0 | CRITICAL | — | 0 |
| CVE-2019-25440 WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET r... | 8.2 | HIGH | — | 0 |
| CVE-2026-27467 BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. ... | 2.0 | LOW | — | 0 |
| CVE-2026-27469 Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecti... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27470 ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the w... | 8.8 | HIGH | — | 0 |
| CVE-2019-25443 Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicio... | 8.2 | HIGH | — | 0 |
| CVE-2026-27485 OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlink... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-27486 OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without v... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27487 OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into ... | 7.6 | HIGH | — | 0 |
| CVE-2026-27488 OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal ... | 7.3 | HIGH | — | 0 |
| CVE-2026-27576 OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.sen... | 4.0 | MEDIUM | — | 0 |
| CVE-2026-2870 A security flaw has been discovered in Tenda A21 1.0.0.0. Affected by this issue is the function set_qosMib_list of the file /goform/formSetQosBand. The manipulation of the argument list results in st... | 8.8 | HIGH | — | 0 |
| CVE-2026-2871 A weakness has been identified in Tenda A21 1.0.0.0. This affects the function fromSetIpMacBind of the file /goform/SetIpMacBind. This manipulation of the argument list causes stack-based buffer overf... | 8.8 | HIGH | — | 0 |
| CVE-2026-2872 A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration E... | 8.8 | HIGH | — | 0 |
| CVE-2026-2873 A vulnerability was detected in Tenda A21 1.0.0.0. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime... | 8.8 | HIGH | — | 0 |
| CVE-2026-2874 A flaw has been found in Tenda A21 1.0.0.0. Impacted is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. Executing a manipulation of the argument ssid can lead to sta... | 8.8 | HIGH | — | 0 |
| CVE-2026-2876 A vulnerability was determined in Tenda A18 15.13.07.13. This affects the function parse_macfilter_rule of the file /goform/setBlackRule. This manipulation of the argument deviceList causes stack-base... | 8.8 | HIGH | — | 0 |
| CVE-2026-2886 A weakness has been identified in Tenda A21 1.0.0.0. This affects the function set_device_name of the file /goform/SetOnlineDevName. This manipulation of the argument devName causes stack-based buffer... | 8.8 | HIGH | — | 0 |
| CVE-2026-2894 A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to informa... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2904 A vulnerability was determined in UTT HiPER 810G 1.7.7-171114. This affects the function strcpy of the file /goform/ConfigExceptAli. Executing a manipulation can lead to buffer overflow. The attack ca... | 8.8 | HIGH | — | 0 |
| CVE-2026-2905 A vulnerability was identified in Tenda HG9 300001138. This impacts an unknown function of the file /boaform/formWlanSetup of the component Wireless Configuration Endpoint. The manipulation of the arg... | 8.8 | HIGH | — | 0 |
| CVE-2026-2906 A security flaw has been discovered in Tenda HG9 300001138. Affected is an unknown function of the file /boaform/formSamba of the component Samba Configuration Endpoint. The manipulation of the argume... | 8.8 | HIGH | — | 0 |
| CVE-2026-2907 A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This m... | 8.8 | HIGH | — | 0 |
| CVE-2026-2908 A security vulnerability has been detected in Tenda HG9 300001138. Affected by this issue is some unknown functionality of the file /boaform/formLoopBack of the component Loopback Detection Configurat... | 8.8 | HIGH | — | 0 |
| CVE-2026-2909 A vulnerability was detected in Tenda HG9 300001138. This affects an unknown part of the file /boaform/formPing of the component Diagnostic Ping Endpoint. Performing a manipulation of the argument pin... | 8.8 | HIGH | — | 0 |
| CVE-2026-2926 A flaw has been found in D-Link DWR-M960 1.01.07. This affects the function sub_4237AC of the file /boafrm/formLteSetup of the component LTE Configuration Endpoint. Executing a manipulation of the arg... | 8.8 | HIGH | — | 0 |
| CVE-2026-2927 A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_462590 of the file /boafrm/formOpMode of the component Operation Mode Configuration Endpoint. The... | 8.8 | HIGH | — | 0 |
| CVE-2026-2928 A vulnerability was found in D-Link DWR-M960 1.01.07. This issue affects the function sub_452CCC of the file /boafrm/formWlEncrypt of the component WLAN Encryption Configuration Endpoint. The manipula... | 8.8 | HIGH | — | 0 |
| CVE-2026-1369 The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | 4.3 | MEDIUM | — | 0 |
| CVE-2026-2929 A vulnerability was determined in D-Link DWR-M960 1.01.07. Impacted is the function sub_453140 of the file /boafrm/formWlAc of the component Wireless Access Control Endpoint. This manipulation of the ... | 8.8 | HIGH | — | 0 |
| CVE-2019-25391 Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST... | 8.2 | HIGH | — | 0 |
| CVE-2019-25457 Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. Attackers can s... | 7.5 | HIGH | — | 0 |
| CVE-2019-25458 Web Ofisi Firma Rehberi v1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can send... | 9.8 | CRITICAL | — | 0 |
| CVE-2019-25459 Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL ... | 9.8 | CRITICAL | — | 0 |
| CVE-2019-25460 Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. Attack... | 7.5 | HIGH | — | 0 |
| CVE-2019-25461 Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers ... | 7.5 | HIGH | — | 0 |
| CVE-2019-25462 Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. Attackers can ... | 8.2 | HIGH | — | 0 |
| CVE-2026-2997 Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-2998 ERP developed by eAI Technologies has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a crafted DLL file in the same directory as the program, thereby executing arbitrar... | 7.8 | HIGH | — | 0 |
| CVE-2025-70058 An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in t... | 7.4 | HIGH | — | 0 |
| CVE-2026-1367 Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option. | 8.3 | HIGH | — | 0 |
| CVE-2026-23552 Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens agains... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25747 Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository usin... | 8.8 | HIGH | — | 0 |
| CVE-2026-26365 Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could... | 4.0 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.