Vulnerabilities

Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.

Filtering: Group: attack-types Clear
ID Title
CVE-2021-47954 SQL Injection in sqli (CVE-2021-47954)
SQL injection in sqli (CVE-2021-47954). Confidential information can be exposed externally.
CVE-2021-47942 Path Traversal in path-traversal (CVE-2021-47942)
path traversal in path-traversal (CVE-2021-47942). Confidential information can be exposed externally.
CVE-2020-37245 Cross-Site Scripting (XSS) in path-traversal (CVE-2020-37245)
cross-site scripting in path-traversal (CVE-2020-37245). Confidential information can be exposed externally.
CVE-2020-37244 SQL Injection in sqli (CVE-2020-37244)
SQL injection in sqli (CVE-2020-37244). Confidential information can be exposed externally.
CVE-2020-37243 SQL Injection in sqli (CVE-2020-37243)
SQL injection in sqli (CVE-2020-37243). Confidential information can be exposed externally.
CVE-2020-37242 SQL Injection in sqli (CVE-2020-37242)
SQL injection in sqli (CVE-2020-37242). Confidential information can be exposed externally.
CVE-2020-37227 Unrestricted File Upload in CVE-2020-37227 (CVE-2020-37227)
vulnerability in CVE-2020-37227 (CVE-2020-37227). Successful exploitation can lead to full system takeover.
CVE-2026-8696 Use-After-Free in dos (CVE-2026-8696)
vulnerability in dos (CVE-2026-8696). Risk of unauthorized operations or information disclosure.
CVE-2026-8686 Out-of-Bounds Read in Amazon aws (CVE-2026-8686)
vulnerability in Amazon aws (CVE-2026-8686). Risk of unauthorized operations or information disclosure.
CVE-2026-46407 Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclo...
CVE-2026-46367 Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
CVE-2026-46359 phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
CVE-2026-46366 phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
CVE-2026-44826 Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive...
CVE-2021-47964 Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
CVE-2021-47966 PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in...
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in...
CVE-2021-47963 Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to...
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to...
CVE-2021-47959 WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
CVE-2026-8695 Use-After-Free in dos (CVE-2026-8695)
vulnerability in dos (CVE-2026-8695). Risk of unauthorized operations or information disclosure.
CVE-2026-46491 Path Traversal in simplesamlphp/simplesamlphp-module-casserver (CVE-2026-46491)
path traversal in simplesamlphp/simplesamlphp-module-casserver (CVE-2026-46491). Data can be tampered with by attackers. Exploitable via ``ticket``. Mitigation: upgrade to `7.0.3` or later.
CVE-2026-45717 Vulnerability in @budibase/server (CVE-2026-45717)
vulnerability in @budibase/server (CVE-2026-45717). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/datasources/`. Mitigation: upgrade to `3.38.1` or later.
CVE-2026-45035 OS Command Injection in tabby (CVE-2026-45035)
OS command injection in tabby (CVE-2026-45035). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.0.233` or later.
CVE-2026-45062 Vulnerability in github.com/dunglas/frankenphp (CVE-2026-45062)
vulnerability in github.com/dunglas/frankenphp (CVE-2026-45062). Successful exploitation can lead to full system takeover. Exploitable via ``cgi.go``. Mitigation: upgrade to `1.12.3` or later.
CVE-2026-44716 Path Traversal in pipecat-ai (CVE-2026-44716)
path traversal in pipecat-ai (CVE-2026-44716). Confidential information can be exposed externally. Exploitable via `GET /files/{filename`. Mitigation: upgrade to `1.2.0` or later.
CVE-2026-41147 Cross-Site Scripting (XSS) in nukeviet/nukeviet (CVE-2026-41147)
cross-site scripting in nukeviet/nukeviet (CVE-2026-41147). Confidential information can be exposed externally. Exploitable via ``srcdoc``.
CVE-2026-22810 Vulnerability in @joplin/onenote-converter (CVE-2026-22810)
vulnerability in @joplin/onenote-converter (CVE-2026-22810). Successful exploitation can lead to full system takeover. Exploitable via ``embedded_file.rs``. Mitigation: upgrade to `3.5.7` or later.
CVE-2026-38728 Vulnerability in smtp-server (CVE-2026-38728)
vulnerability in smtp-server (CVE-2026-38728). Risk of unauthorized operations or information disclosure. Exploitable via ``_remainder``. Mitigation: upgrade to `3.18.3` or later.
CVE-2026-41552 Path Traversal in path-traversal (CVE-2026-41552)
path traversal in path-traversal (CVE-2026-41552). Confidential information can be exposed externally.
CVE-2026-6228 Privilege Escalation in wordpress (CVE-2026-6228)
vulnerability in wordpress (CVE-2026-6228). Successful exploitation can lead to full system takeover.
CVE-2026-6403 Path Traversal in wordpress (CVE-2026-6403)
path traversal in wordpress (CVE-2026-6403). Confidential information can be exposed externally.
CVE-2026-4094 The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
CVE-2026-41702 VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an...
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an...
CVE-2024-36333 Vulnerability in privilege-escalation (CVE-2024-36333)
vulnerability in privilege-escalation (CVE-2024-36333). Successful exploitation can lead to full system takeover.
CVE-2025-54518 Vulnerability in privilege-escalation (CVE-2025-54518)
vulnerability in privilege-escalation (CVE-2025-54518). Successful exploitation can lead to full system takeover.
CVE-2026-2652 Vulnerability in mlflow (CVE-2026-2652)
vulnerability in mlflow (CVE-2026-2652). Data can be tampered with by attackers. Mitigation: upgrade to `3.10.0` or later.
CVE-2026-8629 Vulnerability in privilege-escalation (CVE-2026-8629)
vulnerability in privilege-escalation (CVE-2026-8629). Confidential information can be exposed externally.
CVE-2026-8557 Use-After-Free in privilege-escalation (CVE-2026-8557)
vulnerability in privilege-escalation (CVE-2026-8557). Successful exploitation can lead to full system takeover.
CVE-2026-8547 Vulnerability in privilege-escalation (CVE-2026-8547)
vulnerability in privilege-escalation (CVE-2026-8547). Successful exploitation can lead to full system takeover.
CVE-2026-45373 SSRF (Server-Side Request Forgery) in deepseek-tui (CVE-2026-45373)
SSRF in deepseek-tui (CVE-2026-45373). Confidential information can be exposed externally. Mitigation: upgrade to `0.8.26` or later.
CVE-2026-45310 SSRF (Server-Side Request Forgery) in deepseek-tui (CVE-2026-45310)
SSRF in deepseek-tui (CVE-2026-45310). Confidential information can be exposed externally. Exploitable via ``fetch_url``. Mitigation: upgrade to `0.8.22` or later.
CVE-2026-45665 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45665)
cross-site scripting in open-webui (CVE-2026-45665). Confidential information can be exposed externally. Exploitable via ``marked.parse``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45400 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45400)
SSRF in open-webui (CVE-2026-45400). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45338 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45338)
SSRF in open-webui (CVE-2026-45338). Confidential information can be exposed externally. Exploitable via ``picture``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-43907 Vulnerability in cpp (CVE-2026-43907)
vulnerability in cpp (CVE-2026-43907). Data can be tampered with by attackers. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-8621 Authentication Bypass in github.com/openclaw/crabbox (CVE-2026-8621)
authentication bypass in github.com/openclaw/crabbox (CVE-2026-8621). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `0.12.0` or later.
CVE-2026-44586 Cross-Site Scripting (XSS) in CVE-2026-44586 (CVE-2026-44586)
cross-site scripting in CVE-2026-44586 (CVE-2026-44586). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.7.0` or later.
CVE-2026-42897 KEV [KEV] Cross-Site Scripting (XSS) in Microsoft exchange-server (CVE-2026-42897)
cross-site scripting in Microsoft exchange-server (CVE-2026-42897). Confidential information can be exposed externally. Listed in CISA KEV — actively exploited.
CVE-2026-45011 Cross-Site Scripting (XSS) in apostrophe (CVE-2026-45011)
cross-site scripting in apostrophe (CVE-2026-45011). Confidential information can be exposed externally.
CVE-2026-45012 SSRF (Server-Side Request Forgery) in apostrophe (CVE-2026-45012)
SSRF in apostrophe (CVE-2026-45012). Confidential information can be exposed externally. Exploitable via `POST /api/v1/`.
CVE-2026-44973 Path Traversal in github.com/go-git/go-billy/v5 (CVE-2026-44973)
path traversal in github.com/go-git/go-billy/v5 (CVE-2026-44973). Confidential information can be exposed externally. Exploitable via ``osfs.ChrootOS``. Mitigation: upgrade to `5.9.0` or later.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →