Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-27685 SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentialit... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-27686 Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation ... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27687 Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a ... | 5.8 | MEDIUM | — | 0 |
| CVE-2026-27688 Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function mod... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-27689 Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function... | 7.7 | HIGH | — | 0 |
| CVE-2026-30869 SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By expl... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-30870 PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determini... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30885 WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An u... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30887 OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-30913 Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is ... | 4.6 | MEDIUM | — | 0 |
| CVE-2025-41710 An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30927 Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTH... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4977 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | — | 0 |
| CVE-2025-11739 CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stre... | N/A | NONE | — | 0 |
| CVE-2025-13901 CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occ... | N/A | NONE | — | 0 |
| CVE-2025-13902 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser ru... | N/A | NONE | — | 0 |
| CVE-2025-13957 CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL ... | N/A | NONE | — | 0 |
| CVE-2025-27769 A vulnerability has been identified in Heliox Flex 180 kW EV Charging Station (All versions < F4.11.1), Heliox Mobile DC 40 kW EV Charging Station (All versions < L4.10.1). Affected devices contain im... | 2.6 | LOW | — | 0 |
| CVE-2025-40943 Affected devices do not properly sanitize contents of trace files. This could allow an attacker to inject code through social engineering an authorized user, who has the function right "Read diagno... | 9.6 | CRITICAL | — | 0 |
| CVE-2025-41709 An unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-54820 A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.10, FortiManager 6.4 all versions may allow a remote un... | 8.1 | HIGH | — | 0 |
| CVE-2025-55717 A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.... | 4.0 | MEDIUM | — | 0 |
| CVE-2025-66178 A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 throug... | 7.2 | HIGH | — | 0 |
| CVE-2025-68482 A improper certificate validation vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiA... | 6.9 | MEDIUM | — | 0 |
| CVE-2026-26134 Integer overflow or wraparound in Microsoft Office allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-23654 Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network. | 8.8 | HIGH | — | 0 |
| CVE-2026-23656 Insufficient verification of data authenticity in Windows App Installer allows an unauthorized attacker to perform spoofing over a network. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-23660 Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-23661 Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network. | 7.5 | HIGH | — | 0 |
| CVE-2026-23662 Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network. | 7.5 | HIGH | — | 0 |
| CVE-2026-23664 Improper restriction of communication channel to intended endpoints in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network. | 7.5 | HIGH | — | 0 |
| CVE-2026-22316 A remote attacker with user privileges for the webUI can use the setting of the TFTP Filename with a POST Request to trigger a stack-based Buffer Overflow, resulting in a DoS attack. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23907 This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24017 An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0... | 8.1 | HIGH | — | 0 |
| CVE-2026-24018 A UNIX symbolic link (Symlink) following vulnerability in Fortinet FortiClientLinux 7.4.0 through 7.4.4, FortiClientLinux 7.2.2 through 7.2.12 may allow a local and unprivileged user to escalate their... | 7.8 | HIGH | — | 0 |
| CVE-2026-24282 Out-of-bounds read in Push Message Routing Service allows an authorized attacker to disclose information locally. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-24283 Heap-based buffer overflow in Windows File Server allows an authorized attacker to elevate privileges locally. | 8.8 | HIGH | — | 0 |
| CVE-2026-24292 Use after free in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-24293 Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-24295 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Device Association Service allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | — | 0 |
| CVE-2026-24296 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Device Association Service allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | — | 0 |
| CVE-2026-24297 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kerberos allows an unauthorized attacker to bypass a security feature over a network. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25178 Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | — | 0 |
| CVE-2026-24640 A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiW... | 6.6 | MEDIUM | — | 0 |
| CVE-2026-24641 A NULL Pointer Dereference vulnerability [CWE-476] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb ... | 2.7 | LOW | — | 0 |
| CVE-2026-25165 Null pointer dereference in Windows Performance Counters allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-25166 Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally. | 7.8 | HIGH | — | 0 |
| CVE-2026-25167 Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. | 7.4 | HIGH | — | 0 |
| CVE-2026-25168 Null pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to deny service locally. | 6.2 | MEDIUM | — | 0 |
| CVE-2026-25189 Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.