Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-3645 The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_co... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-3996 The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitizatio... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3997 The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4086 The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4087 The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids' parameter of the pprh_update_hints AJAX action in all versions up to, and including, 1.8.20. This i... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-4143 The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_pl... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4161 The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.7 due to insufficient input sanitizatio... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-4531 A weakness has been identified in Free5GC 4.1.0. Affected is the function HandleRegistrationComplete of the file internal/gmm/handler.go of the component AMF. Executing a manipulation can lead to deni... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-33549 SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling. | 6.7 | MEDIUM | — | 0 |
| CVE-2026-3427 The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4314 The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileReque... | 8.8 | HIGH | — | 0 |
| CVE-2026-4542 A vulnerability has been found in SSCMS 4.7.0. The affected element is an unknown function of the file LayerImageController.Submit.cs of the component layerImage Endpoint. Such manipulation of the arg... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-4544 A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unknown function of the file /cgi-bin/login.cgi of the component POST Request Handler. Executing a manipulation of the argu... | 2.4 | LOW | — | 0 |
| CVE-2026-4115 A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verifica... | 3.7 | LOW | — | 0 |
| CVE-2019-25590 Axessh 4.2 contains a denial of service vulnerability in the logging configuration that allows local attackers to crash the application by supplying an excessively long string in the log file name fie... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25591 DNSS Domain Name Search Software 2.1.8 contains a buffer overflow vulnerability in the registration code input field that allows local attackers to crash the application by submitting an excessively l... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25592 PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste ... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25593 jetCast Server 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Log directory configuration field. Att... | 5.5 | MEDIUM | — | 0 |
| CVE-2025-10679 The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and in... | 7.3 | HIGH | — | 0 |
| CVE-2025-10731 The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-10734 The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4573 A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/form_handlers/delete_post.php of the component HTTP GET Pa... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4574 A vulnerability was detected in SourceCodester Simple E-learning System 1.0. This vulnerability affects unknown code of the component User Profile Update Handler. The manipulation of the argument firs... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4576 A vulnerability has been found in code-projects Exam Form Submission 1.0. Impacted is an unknown function of the file /admin/update_s5.php. Such manipulation of the argument sname leads to cross site ... | 2.4 | LOW | — | 0 |
| CVE-2025-13997 The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-6229 The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerab... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-23554 The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a si... | 7.8 | HIGH | — | 0 |
| CVE-2026-4577 A vulnerability was found in code-projects Exam Form Submission 1.0. The affected element is an unknown function of the file /admin/update_s4.php. Performing a manipulation of the argument sname resul... | 2.4 | LOW | — | 0 |
| CVE-2026-4578 A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname c... | 2.4 | LOW | — | 0 |
| CVE-2026-33352 WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowC... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3635 Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4589 A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component... | 6.3 | MEDIUM | — | 0 |
| CVE-2026-4647 A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF objec... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-4645 Rejected reason: Duplicate of CVE-2026-32287 | N/A | NONE | — | 0 |
| CVE-2026-33697 Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This v... | 7.5 | HIGH | — | 0 |
| CVE-2026-33898 Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will... | 8.8 | HIGH | — | 0 |
| CVE-2026-34388 Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server proc... | 7.5 | HIGH | — | 0 |
| CVE-2026-33718 OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The... | 7.6 | HIGH | — | 0 |
| CVE-2025-59032 ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to... | 7.5 | HIGH | — | 0 |
| CVE-2026-33728 dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data withou... | N/A | NONE | — | 0 |
| CVE-2026-33730 Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulner... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-33745 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to ... | 7.4 | HIGH | — | 0 |
| CVE-2026-4908 A security flaw has been discovered in code-projects Simple Laundry System 1.0. This affects an unknown function of the file /modstaffinfo.php of the component Parameter Handler. The manipulation of t... | 7.3 | HIGH | — | 0 |
| CVE-2026-22742 Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. I... | 8.6 | HIGH | — | 0 |
| CVE-2026-22743 Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFi... | 7.5 | HIGH | — | 0 |
| CVE-2026-22744 In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} ... | 7.5 | HIGH | — | 0 |
| CVE-2026-33559 WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/edit... | N/A | NONE | — | 0 |
| CVE-2026-34353 In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed. | 5.9 | MEDIUM | — | 0 |
| CVE-2026-4948 A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-aut... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-0394 When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the doma... | 5.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.