Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-4282 A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authoriza... | 7.4 | HIGH | — | 0 |
| CVE-2026-4325 A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use ent... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4634 A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OID... | 7.5 | HIGH | — | 0 |
| CVE-2026-4636 A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned ... | 8.1 | HIGH | — | 0 |
| CVE-2026-40485 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4111 A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed... | 7.5 | HIGH | — | 0 |
| CVE-2026-34782 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to us... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-35205 Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed... | 7.8 | HIGH | — | 0 |
| CVE-2019-25711 SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. A... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25712 BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trig... | 6.2 | MEDIUM | — | 0 |
| CVE-2019-25713 MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attacke... | 7.1 | HIGH | — | 0 |
| CVE-2019-25703 ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attacker... | 7.1 | HIGH | — | 0 |
| CVE-2026-30997 An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 7.5 | HIGH | — | 0 |
| CVE-2026-31283 In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-36941 Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the file /orms/admin/rooms/manage_room.php. | 2.7 | LOW | — | 0 |
| CVE-2026-36944 Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerale to SQL injection in the file/rsms/admin/repairs/view_details.php. | 2.7 | LOW | — | 0 |
| CVE-2026-36945 Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/clients/manage_client.php | 2.7 | LOW | — | 0 |
| CVE-2025-31991 Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability i... | 6.8 | MEDIUM | — | 0 |
| CVE-2025-69627 Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated an... | 8.4 | HIGH | — | 0 |
| CVE-2026-30804 Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800 | N/A | NONE | — | 0 |
| CVE-2026-30806 Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800 | N/A | NONE | — | 0 |
| CVE-2026-22563 A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-22564 An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-33947 jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by ... | 6.2 | MEDIUM | — | 0 |
| CVE-2026-34238 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a he... | 5.1 | MEDIUM | — | 0 |
| CVE-2026-4786 Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the u... | N/A | NONE | — | 0 |
| CVE-2026-5086 Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timi... | 7.5 | HIGH | — | 0 |
| CVE-2026-0512 Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed b... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24318 Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unautho... | 4.2 | MEDIUM | — | 0 |
| CVE-2026-27672 The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27673 Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-27674 Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and caus... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-27675 SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to... | 2.0 | LOW | — | 0 |
| CVE-2026-27676 Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27677 Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. T... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27678 Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27679 Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without prope... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27683 SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes... | 4.1 | MEDIUM | — | 0 |
| CVE-2026-37595 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php. | 2.7 | LOW | — | 0 |
| CVE-2026-37596 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php. | 2.7 | LOW | — | 0 |
| CVE-2026-37597 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php. | 2.7 | LOW | — | 0 |
| CVE-2026-37598 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings. | 2.7 | LOW | — | 0 |
| CVE-2026-37600 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php. | 2.7 | LOW | — | 0 |
| CVE-2026-37601 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php. | 2.7 | LOW | — | 0 |
| CVE-2026-37602 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php. | 2.7 | LOW | — | 0 |
| CVE-2026-37980 A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cros... | 6.9 | MEDIUM | — | 0 |
| CVE-2026-4344 A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the... | 7.1 | HIGH | — | 0 |
| CVE-2026-4345 A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious a... | 7.1 | HIGH | — | 0 |
| CVE-2026-4369 A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerabilit... | 7.1 | HIGH | — | 0 |
| CVE-2026-4914 Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required. | 5.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.