Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-23958 Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-23630 Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend ca... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23968 Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe fe... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-23986 Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe fe... | 7.1 | HIGH | — | 0 |
| CVE-2026-24046 Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with ac... | 7.1 | HIGH | — | 0 |
| CVE-2026-24047 Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to ver... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-24048 Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.... | 3.5 | LOW | — | 0 |
| CVE-2026-1036 The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23887 Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the databa... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23946 Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpd... | 6.8 | MEDIUM | — | 0 |
| CVE-2026-23951 SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size cal... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-23699 AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices. | N/A | NONE | — | 0 |
| CVE-2026-23961 Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow alre... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23959 CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-23962 Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote p... | 7.5 | HIGH | — | 0 |
| CVE-2026-23963 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters,... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24034 Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-23964 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoin... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-23991 go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (vali... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-23992 go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signat... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-24002 Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreads... | 9.0 | CRITICAL | — | 0 |
| CVE-2026-24010 Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deplo... | 8.0 | HIGH | — | 0 |
| CVE-2020-8453 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. | N/A | NONE | — | 0 |
| CVE-2020-8454 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. | N/A | NONE | — | 0 |
| CVE-2020-8455 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. | N/A | NONE | — | 0 |
| CVE-2026-24035 Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24036 Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without auth... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-24037 Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, th... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-24038 Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server re... | 8.1 | HIGH | — | 0 |
| CVE-2026-24039 Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. Th... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24042 Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) action... | 9.4 | CRITICAL | — | 0 |
| CVE-2026-24055 Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the clie... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-71176 pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges. | 6.8 | MEDIUM | — | 0 |
| CVE-2026-24049 wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mi... | 7.1 | HIGH | — | 0 |
| CVE-2026-0920 The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' func... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-8451 Rejected reason: The reserved CVE was never used. | N/A | NONE | — | 0 |
| CVE-2026-24332 Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-1330 MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 7.5 | HIGH | — | 0 |
| CVE-2026-1331 MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary ... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-8452 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. | N/A | NONE | — | 0 |
| CVE-2025-13335 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authent... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1225 ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the cla... | N/A | NONE | — | 0 |
| CVE-2026-1332 MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related informatio... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-10024 Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Mana... | 7.5 | HIGH | — | 0 |
| CVE-2025-10855 Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers.This issue affects Teknoera: through 01102025... | 7.5 | HIGH | — | 0 |
| CVE-2025-10856 Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025. | 8.1 | HIGH | — | 0 |
| CVE-2025-14295 Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web ses... | N/A | NONE | — | 0 |
| CVE-2025-12738 Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability a... | N/A | NONE | — | 0 |
| CVE-2025-13927 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a de... | 7.5 | HIGH | — | 0 |
| CVE-2025-50003 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amul... | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.