Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-22455 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thebe thebe allows Reflected XSS.This issue affects Thebe: from n/a through <= 1.3... | 7.1 | HIGH | — | 0 |
| CVE-2026-27596 Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulne... | 7.5 | HIGH | — | 0 |
| CVE-2026-27631 Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulne... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2256 A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived inp... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3336 Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the fina... | 7.5 | HIGH | — | 0 |
| CVE-2026-3337 Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-26885 Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /classes/Master.php?f=delete_service. | 2.7 | LOW | — | 0 |
| CVE-2026-3351 Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd ser... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3342 An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an authenticated privileged administrator to execute arbitrary code with root permissions via an exposed management interface. ... | 7.2 | HIGH | — | 0 |
| CVE-2026-3343 A reflected cross-site scripting (XSS) vulnerability in the Fireware OS Web UI enabled execution of malicious JavaScript in the context of an authenticated management user's browser when they click on... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-3344 A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.... | 4.9 | MEDIUM | — | 0 |
| CVE-2025-64736 An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-70821 renren-secuity before v5.5.0 is vulnerable to SQL Injection in the BaseServiceImpl.java component | 9.8 | CRITICAL | — | 0 |
| CVE-2026-20777 A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted .wft file can lead to... | 8.1 | HIGH | — | 0 |
| CVE-2026-22891 A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-24103 A buffer overflow vulnerability was discovered in goform/formSetMacFilterCfg in Tenda AC15V1.0 V15.03.05.18_multi. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25673 An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows th... | 7.5 | HIGH | — | 0 |
| CVE-2026-3136 An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vu... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-35484 Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the Vie... | 8.2 | HIGH | — | 0 |
| CVE-2021-35485 The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/applicati... | 8.0 | HIGH | — | 0 |
| CVE-2021-35486 A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifical... | 8.1 | HIGH | — | 0 |
| CVE-2023-31044 An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the C... | 2.0 | LOW | — | 0 |
| CVE-2025-15599 DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-63909 Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write... | 7.2 | HIGH | — | 0 |
| CVE-2025-63910 An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administrator privileges to execute arbitrary code via uploa... | 7.2 | HIGH | — | 0 |
| CVE-2025-70236 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDomainFilter. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-70237 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetPortTr. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-70241 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWANType_Wizard5. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-0869 Authentication bypass in Brocade ASCG 3.4.0 Could allow an unauthorized user to perform ASCG operations related to Brocade Support Link(BSL) and streaming configuration. and could even disable the ASC... | 8.8 | HIGH | — | 0 |
| CVE-2026-1265 IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to writing of sensitive Information in a log file. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-26887 Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php. | 2.7 | LOW | — | 0 |
| CVE-2026-26888 Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php. | 2.7 | LOW | — | 0 |
| CVE-2026-26889 Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php. | 2.7 | LOW | — | 0 |
| CVE-2026-26891 Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_parcel_type.php. | 2.7 | LOW | — | 0 |
| CVE-2026-1713 IBM MQ 9.1.0.0 through 9.1.0.33 LTS, 9.2.0.0 through 9.2.0.40 LTS, 9.3.0.0 through 9.3.0.36 LTS, 9.30.0 through 9.3.5.1 CD, 9.4.0.0 through 9.4.0.17 LTS, and 9.4.0.0 through 9.4.4.1 CD | 5.0 | MEDIUM | — | 0 |
| CVE-2026-24502 Dell Command | Intel vPro Out of Band, versions prior to 4.7.0, contain an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vu... | 8.8 | HIGH | — | 0 |
| CVE-2026-25906 Dell Optimizer, versions prior to 6.3.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit ... | 7.3 | HIGH | — | 0 |
| CVE-2026-3485 A flaw has been found in D-Link DIR-868L 110b03. This affects the function sub_1BF84 of the component SSDP Service. This manipulation of the argument ST causes os command injection. It is possible to ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1775 The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially craft... | N/A | NONE | — | 0 |
| CVE-2026-21866 Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-24848 OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated ... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-24898 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoin... | 10.0 | CRITICAL | — | 0 |
| CVE-2026-25146 OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret val... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-27012 OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allo... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-2590 Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to pe... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3130 Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked ou... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3204 Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27971 Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27981 HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1.... | 7.4 | HIGH | — | 0 |
| CVE-2026-28289 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with f... | 10.0 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.