Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-1020 Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-1021 Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling ar... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1022 Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 7.5 | HIGH | — | 0 |
| CVE-2026-1023 Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database conte... | 7.5 | HIGH | — | 0 |
| CVE-2026-0858 Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a c... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-0975 Delta Electronics DIAView has Command Injection vulnerability. | 7.8 | HIGH | — | 0 |
| CVE-2026-23768 lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or o... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-23769 lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | 6.1 | MEDIUM | — | 0 |
| CVE-2025-14757 The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator B... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-14822 Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a pos... | 3.1 | LOW | — | 0 |
| CVE-2025-60021 Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-14844 The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_car... | 8.2 | HIGH | — | 0 |
| CVE-2025-59870 HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk | 7.4 | HIGH | — | 0 |
| CVE-2025-49375 Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1... | 8.8 | HIGH | — | 0 |
| CVE-2025-68438 In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. T... | 7.5 | HIGH | — | 0 |
| CVE-2025-14435 Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via trigger... | 6.8 | MEDIUM | — | 0 |
| CVE-2025-14894 Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malic... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-0612 The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy re... | 7.5 | HIGH | — | 0 |
| CVE-2026-0613 The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and ser... | 7.5 | HIGH | — | 0 |
| CVE-2026-0615 The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability i... | 7.3 | HIGH | — | 0 |
| CVE-2026-0616 TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability ... | 7.5 | HIGH | — | 0 |
| CVE-2024-54556 This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen. | 2.4 | LOW | — | 0 |
| CVE-2025-15104 Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-0695 In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, thi... | 8.7 | HIGH | — | 0 |
| CVE-2026-0696 In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-68921 SteelSeries Nahimic 3 1.10.7 allows Directory traversal. | 7.8 | HIGH | — | 0 |
| CVE-2026-21623 Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-21624 Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | 5.4 | MEDIUM | — | 0 |
| CVE-2026-21625 User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | 8.8 | HIGH | — | 0 |
| CVE-2025-29943 Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an ... | N/A | NONE | — | 0 |
| CVE-2025-70746 Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a... | 7.5 | HIGH | — | 0 |
| CVE-2025-71020 Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a craf... | 7.5 | HIGH | — | 0 |
| CVE-2026-0949 PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-22782 RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), wh... | 7.5 | HIGH | — | 0 |
| CVE-2026-23523 Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration w... | 9.6 | CRITICAL | — | 0 |
| CVE-2026-23529 Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aive... | 7.7 | HIGH | — | 0 |
| CVE-2024-44210 This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. | 3.3 | LOW | — | 0 |
| CVE-2025-24089 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 5.3 | MEDIUM | — | 0 |
| CVE-2025-24090 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 3.3 | LOW | — | 0 |
| CVE-2025-24528 In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bo... | 7.1 | HIGH | — | 0 |
| CVE-2025-24531 In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. | 6.7 | MEDIUM | — | 0 |
| CVE-2025-31186 A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences. | 3.3 | LOW | — | 0 |
| CVE-2025-31510 In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authenti... | 7.2 | HIGH | — | 0 |
| CVE-2025-43508 A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 5.5 | MEDIUM | — | 0 |
| CVE-2025-43904 In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. | 4.2 | MEDIUM | — | 0 |
| CVE-2026-0629 Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by m... | N/A | NONE | — | 0 |
| CVE-2021-47816 Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attacker... | 8.8 | HIGH | — | 0 |
| CVE-2021-47818 DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can gene... | 7.5 | HIGH | — | 0 |
| CVE-2021-47820 Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submi... | 5.3 | MEDIUM | — | 0 |
| CVE-2021-47821 RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can gene... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.