Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2020-37245 |
|
Cross-Site Scripting (XSS) in path-traversal (CVE-2020-37245)
cross-site scripting in path-traversal (CVE-2020-37245). Confidential information can be exposed externally.
|
| CVE-2020-37231 |
|
Vulnerability in CVE-2020-37231 (CVE-2020-37231)
vulnerability in CVE-2020-37231 (CVE-2020-37231). Successful exploitation can lead to full system takeover.
|
| CVE-2020-37232 |
|
Vulnerability in CVE-2020-37232 (CVE-2020-37232)
vulnerability in CVE-2020-37232 (CVE-2020-37232). Successful exploitation can lead to full system takeover.
|
| CVE-2020-37230 |
|
Vulnerability in CVE-2020-37230 (CVE-2020-37230)
vulnerability in CVE-2020-37230 (CVE-2020-37230). Successful exploitation can lead to full system takeover.
|
| CVE-2020-37229 |
|
Vulnerability in CVE-2020-37229 (CVE-2020-37229)
vulnerability in CVE-2020-37229 (CVE-2020-37229). Successful exploitation can lead to full system takeover.
|
| CVE-2020-37227 |
|
Unrestricted File Upload in CVE-2020-37227 (CVE-2020-37227)
vulnerability in CVE-2020-37227 (CVE-2020-37227). Successful exploitation can lead to full system takeover.
|
| CVE-2026-8657 |
|
Vulnerability in CVE-2026-8657 (CVE-2026-8657)
vulnerability in CVE-2026-8657 (CVE-2026-8657). Data can be tampered with by attackers.
|
| CVE-2026-8700 |
|
Vulnerability in CVE-2026-8700 (CVE-2026-8700)
vulnerability in CVE-2026-8700 (CVE-2026-8700). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8696 |
|
Use-After-Free in dos (CVE-2026-8696)
vulnerability in dos (CVE-2026-8696). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8686 |
|
Out-of-Bounds Read in Amazon aws (CVE-2026-8686)
vulnerability in Amazon aws (CVE-2026-8686). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-46367 |
|
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
|
| CVE-2026-46407 |
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclo...
|
| CVE-2026-46408 |
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter t...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another u...
|
| CVE-2026-46359 |
|
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
|
| CVE-2026-46366 |
|
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
|
| CVE-2026-44826 |
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive...
|
| CVE-2021-47964 |
|
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
|
| CVE-2021-47966 |
|
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in...
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in...
|
| CVE-2021-47963 |
|
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to...
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to...
|
| CVE-2021-47959 |
|
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
|
| CVE-2026-45578 |
|
OS Command Injection in WWBN/AVideo (CVE-2026-45578)
OS command injection in WWBN/AVideo (CVE-2026-45578). Successful exploitation can lead to full system takeover. Exploitable via ``on_publish.php``.
|
| CVE-2026-45575 |
|
Vulnerability in com.oviva.telematik:epa4all-client (CVE-2026-45575)
vulnerability in com.oviva.telematik:epa4all-client (CVE-2026-45575). Confidential information can be exposed externally. Mitigation: upgrade to `1.2.2` or later.
|
| CVE-2026-46474 |
|
Vulnerability in CVE-2026-46474 (CVE-2026-46474)
vulnerability in CVE-2026-46474 (CVE-2026-46474). Confidential information can be exposed externally.
|
| CVE-2026-8695 |
|
Use-After-Free in dos (CVE-2026-8695)
vulnerability in dos (CVE-2026-8695). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-45574 |
|
Vulnerability in com.oviva.telematik:epa4all-client (CVE-2026-45574)
vulnerability in com.oviva.telematik:epa4all-client (CVE-2026-45574). Confidential information can be exposed externally. Mitigation: upgrade to `1.2.2` or later.
|
| CVE-2026-46491 |
|
Path Traversal in simplesamlphp/simplesamlphp-module-casserver (CVE-2026-46491)
path traversal in simplesamlphp/simplesamlphp-module-casserver (CVE-2026-46491). Data can be tampered with by attackers. Exploitable via ``ticket``. Mitigation: upgrade to `7.0.3` or later.
|
| CVE-2026-44692 |
|
Vulnerability in code16/sharp (CVE-2026-44692)
vulnerability in code16/sharp (CVE-2026-44692). Confidential information can be exposed externally. Exploitable via `GET /sharp/{globalFilter}/download/{entityKey}/{instanceId`. Mitigation: upgrade to `9.22.0` or later.
|
| CVE-2026-45717 |
|
Vulnerability in @budibase/server (CVE-2026-45717)
vulnerability in @budibase/server (CVE-2026-45717). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/datasources/`. Mitigation: upgrade to `3.38.1` or later.
|
| CVE-2026-45715 |
|
SSRF (Server-Side Request Forgery) in @budibase/server (CVE-2026-45715)
SSRF in @budibase/server (CVE-2026-45715). Confidential information can be exposed externally. Exploitable via `POST /api/queries/preview`. Mitigation: upgrade to `3.38.1` or later.
|
| CVE-2026-45548 |
|
SSRF (Server-Side Request Forgery) in @budibase/server (CVE-2026-45548)
SSRF in @budibase/server (CVE-2026-45548). Confidential information can be exposed externally. Exploitable via ``processUrlFile``. Mitigation: upgrade to `3.34.8` or later.
|
| CVE-2026-45364 |
|
Vulnerability in better-auth (CVE-2026-45364)
vulnerability in better-auth (CVE-2026-45364). Risk of unauthorized operations or information disclosure. Exploitable via ``normalizeIP``. Mitigation: upgrade to `1.5.0-beta.9` or later.
|
| CVE-2026-45037 |
|
Vulnerability in tabby (CVE-2026-45037)
vulnerability in tabby (CVE-2026-45037). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.0.232` or later.
|
| CVE-2026-45038 |
|
Vulnerability in tabby (CVE-2026-45038)
vulnerability in tabby (CVE-2026-45038). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.0.233` or later.
|
| CVE-2026-45539 |
|
Information Disclosure in apm (CVE-2026-45539)
vulnerability in apm (CVE-2026-45539). Confidential information can be exposed externally. Exploitable via ``content_hash``. Mitigation: upgrade to `0.13.0` or later.
|
| CVE-2026-45036 |
|
OS Command Injection in tabby (CVE-2026-45036)
OS command injection in tabby (CVE-2026-45036). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.0.233` or later.
|
| CVE-2026-45035 |
|
OS Command Injection in tabby (CVE-2026-45035)
OS command injection in tabby (CVE-2026-45035). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.0.233` or later.
|
| CVE-2026-44641 |
|
Path Traversal in apm-cli (CVE-2026-44641)
path traversal in apm-cli (CVE-2026-44641). Confidential information can be exposed externally. Exploitable via ``agents``. Mitigation: upgrade to `0.8.12` or later.
|
| CVE-2026-45062 |
|
Vulnerability in github.com/dunglas/frankenphp (CVE-2026-45062)
vulnerability in github.com/dunglas/frankenphp (CVE-2026-45062). Successful exploitation can lead to full system takeover. Exploitable via ``cgi.go``. Mitigation: upgrade to `1.12.3` or later.
|
| CVE-2026-44716 |
|
Path Traversal in pipecat-ai (CVE-2026-44716)
path traversal in pipecat-ai (CVE-2026-44716). Confidential information can be exposed externally. Exploitable via `GET /files/{filename`. Mitigation: upgrade to `1.2.0` or later.
|
| CVE-2026-41147 |
|
Cross-Site Scripting (XSS) in nukeviet/nukeviet (CVE-2026-41147)
cross-site scripting in nukeviet/nukeviet (CVE-2026-41147). Confidential information can be exposed externally. Exploitable via ``srcdoc``.
|
| CVE-2026-40092 |
|
Vulnerability in nimiq-keys (CVE-2026-40092)
vulnerability in nimiq-keys (CVE-2026-40092). Risk of unauthorized operations or information disclosure. Exploitable via ``TaggedPublicKey``.
|
| CVE-2026-22810 |
|
Vulnerability in @joplin/onenote-converter (CVE-2026-22810)
vulnerability in @joplin/onenote-converter (CVE-2026-22810). Successful exploitation can lead to full system takeover. Exploitable via ``embedded_file.rs``. Mitigation: upgrade to `3.5.7` or later.
|
| CVE-2026-46508 |
|
Command Injection in vercel (CVE-2026-46508)
command injection in vercel (CVE-2026-46508). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `2.9.14000` or later.
|
| CVE-2026-35194 |
|
Code Injection in flink (CVE-2026-35194)
code injection in flink (CVE-2026-35194). Confidential information can be exposed externally. Mitigation: upgrade to `1.20.4, 2.0.2, 2.1.1, 2.2.1` or later.
|
| CVE-2026-39054 |
|
Command Injection in CVE-2026-39054 (CVE-2026-39054)
command injection in CVE-2026-39054 (CVE-2026-39054). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-38728 |
|
Vulnerability in smtp-server (CVE-2026-38728)
vulnerability in smtp-server (CVE-2026-38728). Risk of unauthorized operations or information disclosure. Exploitable via ``_remainder``. Mitigation: upgrade to `3.18.3` or later.
|
| CVE-2026-34253 |
|
Vulnerability in c (CVE-2026-34253)
vulnerability in c (CVE-2026-34253). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-46333 |
|
Privilege Escalation in cisa (CVE-2026-46333)
vulnerability in cisa (CVE-2026-46333). Confidential information can be exposed externally.
|
| CVE-2026-41552 |
|
Path Traversal in path-traversal (CVE-2026-41552)
path traversal in path-traversal (CVE-2026-41552). Confidential information can be exposed externally.
|
| CVE-2026-41964 |
|
Vulnerability in CVE-2026-41964 (CVE-2026-41964)
vulnerability in CVE-2026-41964 (CVE-2026-41964). Successful exploitation can lead to full system takeover.
|