Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-26186 Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query par... | 8.8 | HIGH | — | 0 |
| CVE-2026-27630 TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thre... | 7.5 | HIGH | — | 0 |
| CVE-2026-26997 ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27799 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image ... | 4.0 | MEDIUM | — | 0 |
| CVE-2026-27800 Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/ar... | 7.4 | HIGH | — | 0 |
| CVE-2026-27804 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authen... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27808 Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server p... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-27809 psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past th... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27830 c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` impleme... | N/A | NONE | — | 0 |
| CVE-2026-27831 rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue. | 7.5 | HIGH | — | 0 |
| CVE-2026-27837 Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3a... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-27840 ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are sti... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27884 NetExec is a network execution tool. Prior to version 1.5.1, the module spider_plus improperly creates the output file and folder path when saving files from SMB shares. It does not take into account ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27573 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27899 WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending... | 8.8 | HIGH | — | 0 |
| CVE-2026-27900 The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-27901 Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable H... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27902 Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27903 minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` perfo... | 7.5 | HIGH | — | 0 |
| CVE-2026-28138 Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0. | 7.2 | HIGH | — | 0 |
| CVE-2026-27581 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27904 minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extgl... | 7.5 | HIGH | — | 0 |
| CVE-2026-27938 WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injecti... | 7.7 | HIGH | — | 0 |
| CVE-2026-27941 OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out a... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-27942 fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with st... | 7.5 | HIGH | — | 0 |
| CVE-2026-27943 OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27948 Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27582 Rejected reason: Further research determined the situation described is not a vulnerability. | N/A | NONE | — | 0 |
| CVE-2026-27966 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27968 Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27969 Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipu... | 8.8 | HIGH | — | 0 |
| CVE-2026-27970 Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27973 Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that al... | 4.0 | MEDIUM | — | 0 |
| CVE-2025-64999 Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into t... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23999 Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Becaus... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-24004 Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollmen... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25963 Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certi... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27465 Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated use... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27963 Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arb... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-1694 HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features o... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1695 An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-1696 Some HTTP security headers are not properly set by the web server when sending responses to the client application. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-1697 The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1698 A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that m... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-28131 Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28132 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects W... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23748 Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value les... | 3.7 | LOW | — | 0 |
| CVE-2026-23749 Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() ac... | 2.9 | LOW | — | 0 |
| CVE-2026-23750 Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_S... | 8.1 | HIGH | — | 0 |
| CVE-2026-26227 VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verificati... | 3.7 | LOW | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.