Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-30869 SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By expl... | 9.3 | CRITICAL | — | 0 |
| CVE-2026-30885 WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An u... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30887 OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-30913 Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is ... | 4.6 | MEDIUM | — | 0 |
| CVE-2025-41710 An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-30870 PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determini... | 6.5 | MEDIUM | — | 0 |
| CVE-2013-4814 Cross-site scripting (XSS) vulnerability in HP XP P9000 Command View Advanced Edition Suite Software 7.x before 7.5.0-02 allows remote attackers to inject arbitrary web script or HTML via unspecified ... | N/A | NONE | — | 0 |
| CVE-2026-30918 facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP... | 7.6 | HIGH | — | 0 |
| CVE-2026-30919 facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XSS) occurs when an application receives data from a... | 7.6 | HIGH | — | 0 |
| CVE-2026-30920 OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.g... | 8.6 | HIGH | — | 0 |
| CVE-2026-30921 OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-30925 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a craft... | 7.5 | HIGH | — | 0 |
| CVE-2025-41711 An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited access. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-30927 Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTH... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-4191 A vulnerability has been found in PHPGurukul Employee Record Management System 1.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /editmyeducation.p... | 7.3 | HIGH | — | 0 |
| CVE-2022-4977 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | — | 0 |
| CVE-2025-11739 CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stre... | N/A | NONE | — | 0 |
| CVE-2025-13901 CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occ... | N/A | NONE | — | 0 |
| CVE-2025-13902 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser ru... | N/A | NONE | — | 0 |
| CVE-2025-13957 CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL ... | N/A | NONE | — | 0 |
| CVE-2025-27769 A vulnerability has been identified in Heliox Flex 180 kW EV Charging Station (All versions < F4.11.1), Heliox Mobile DC 40 kW EV Charging Station (All versions < L4.10.1). Affected devices contain im... | 2.6 | LOW | — | 0 |
| CVE-2025-40943 Affected devices do not properly sanitize contents of trace files. This could allow an attacker to inject code through social engineering an authorized user, who has the function right "Read diagno... | 9.6 | CRITICAL | — | 0 |
| CVE-2025-41709 An unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-48418 A hidden functionality vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.0 through 7.2.10, FortiAnalyzer 7.0.0 through 7.0.14, FortiAnal... | 6.7 | MEDIUM | — | 0 |
| CVE-2025-48840 An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.8, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow a remote unaut... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-49784 An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.... | 6.0 | MEDIUM | — | 0 |
| CVE-2025-53608 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.... | 4.8 | MEDIUM | — | 0 |
| CVE-2025-53706 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2025. No... | N/A | NONE | — | 0 |
| CVE-2025-41712 An unauthenticated remote attacker who tricks a user to upload a manipulated HTML file can get access to sensitive information on the device. This is a result of incorrect permission assignment for th... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-54820 A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.10, FortiManager 6.4 all versions may allow a remote un... | 8.1 | HIGH | — | 0 |
| CVE-2025-55717 A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.... | 4.0 | MEDIUM | — | 0 |
| CVE-2025-66178 A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 throug... | 7.2 | HIGH | — | 0 |
| CVE-2025-68482 A improper certificate validation vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiA... | 6.9 | MEDIUM | — | 0 |
| CVE-2026-26134 Integer overflow or wraparound in Microsoft Office allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | — | 0 |
| CVE-2025-68648 A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versi... | 7.2 | HIGH | — | 0 |
| CVE-2025-69614 Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Accoun... | 9.4 | CRITICAL | — | 0 |
| CVE-2025-69615 Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Accou... | 9.1 | CRITICAL | — | 0 |
| CVE-2025-70025 An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-1286 CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated use... | N/A | NONE | — | 0 |
| CVE-2026-20967 Improper input validation in System Center Operations Manager allows an authorized attacker to elevate privileges over a network. | 8.8 | HIGH | — | 0 |
| CVE-2026-21262 Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network. | 8.8 | HIGH | — | 0 |
| CVE-2026-21791 HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL | 3.3 | LOW | — | 0 |
| CVE-2026-22572 An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiMan... | 7.2 | HIGH | — | 0 |
| CVE-2025-15238 QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15239 QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15240 QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby e... | 8.8 | HIGH | — | 0 |
| CVE-2025-66518 Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config... | 8.8 | HIGH | — | 0 |
| CVE-2009-3023 Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command t... | N/A | NONE | — | 0 |
| CVE-2025-5965 In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Inje... | 7.2 | HIGH | — | 0 |
| CVE-2025-12519 Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Informat... | 5.3 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.