Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-0126 |
|
Out-of-Bounds Write in google (CVE-2026-0126)
out-of-bounds write in google (CVE-2026-0126). Successful exploitation can lead to full system takeover.
|
| CVE-2026-53622 |
|
Vulnerability in Traefik (CVE-2026-53622)
vulnerability in Traefik (CVE-2026-53622). Confidential information can be exposed externally. Exploitable via ``Host``. Mitigation: upgrade to `3.7.3` or later.
|
| CVE-2026-54157 |
|
SSRF (Server-Side Request Forgery) in @lobehub/lobehub (CVE-2026-54157)
SSRF in @lobehub/lobehub (CVE-2026-54157). Confidential information can be exposed externally. Exploitable via `POST /webapi/proxy`. Mitigation: upgrade to `2.1.57` or later.
|
| CVE-2026-53753 |
|
Code Injection in crawl4ai (CVE-2026-53753)
code injection in crawl4ai (CVE-2026-53753). Successful exploitation can lead to full system takeover. Exploitable via `POST /crawl`. Mitigation: upgrade to `0.8.7` or later.
|
| CVE-2026-48491 |
|
Vulnerability in Traefik (CVE-2026-48491)
vulnerability in Traefik (CVE-2026-48491). Confidential information can be exposed externally. Exploitable via ``SNICheck``. Mitigation: upgrade to `3.7.3` or later.
|
| CVE-2026-54310 |
|
SQL Injection in n8n (CVE-2026-54310)
SQL injection in n8n (CVE-2026-54310). Successful exploitation can lead to full system takeover. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-48746 |
|
Vulnerability in vllm (CVE-2026-48746)
vulnerability in vllm (CVE-2026-48746). Confidential information can be exposed externally. Exploitable via ``AuthenticationMiddleware``. Mitigation: upgrade to `0.22.0` or later.
|
| CVE-2026-48519 |
|
Code Injection in langflow (CVE-2026-48519)
code injection in langflow (CVE-2026-48519). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.9.2` or later.
|
| CVE-2026-53776 |
|
Vulnerability in CVE-2026-53776 (CVE-2026-53776)
vulnerability in CVE-2026-53776 (CVE-2026-53776). Confidential information can be exposed externally.
|
| CVE-2026-12316 |
|
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152.
|
| CVE-2026-12315 |
|
Vulnerability in mozilla (CVE-2026-12315)
vulnerability in mozilla (CVE-2026-12315). Confidential information can be exposed externally.
|
| CVE-2026-12304 |
|
Vulnerability in mozilla (CVE-2026-12304)
vulnerability in mozilla (CVE-2026-12304). Confidential information can be exposed externally.
|
| CVE-2026-12297 |
|
Buffer Overflow in mozilla (CVE-2026-12297)
vulnerability in mozilla (CVE-2026-12297). Successful exploitation can lead to full system takeover.
|
| CVE-2026-12296 |
|
Vulnerability in mozilla (CVE-2026-12296)
vulnerability in mozilla (CVE-2026-12296). Successful exploitation can lead to full system takeover.
|
| CVE-2026-12295 |
|
Vulnerability in mozilla (CVE-2026-12295)
vulnerability in mozilla (CVE-2026-12295). Successful exploitation can lead to full system takeover.
|
| CVE-2026-12294 |
|
Vulnerability in mozilla (CVE-2026-12294)
vulnerability in mozilla (CVE-2026-12294). Successful exploitation can lead to full system takeover.
|
| CVE-2026-12293 |
|
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
|
| CVE-2026-40750 |
|
Unrestricted File Upload in CVE-2026-40750 (CVE-2026-40750)
vulnerability in CVE-2026-40750 (CVE-2026-40750). Successful exploitation can lead to full system takeover.
|
| CVE-2026-52715 |
|
Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.
Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.
|
| CVE-2026-49774 |
|
Code Injection in CVE-2026-49774 (CVE-2026-49774)
code injection in CVE-2026-49774 (CVE-2026-49774). Successful exploitation can lead to full system takeover.
|
| CVE-2026-49772 |
|
SQL Injection in sqli (CVE-2026-49772)
SQL injection in sqli (CVE-2026-49772). Confidential information can be exposed externally.
|
| CVE-2026-39574 |
|
Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
|
| CVE-2026-12205 |
|
Vulnerability in c (CVE-2026-12205)
vulnerability in c (CVE-2026-12205). Confidential information can be exposed externally.
|
| CVE-2026-48714 |
|
Vulnerability in i18next-http-middleware (CVE-2026-48714)
vulnerability in i18next-http-middleware (CVE-2026-48714). Data can be tampered with by attackers. Exploitable via ``missingKeyHandler``. Mitigation: upgrade to `3.9.7` or later.
|
| CVE-2026-48713 |
|
Vulnerability in i18next-fs-backend (CVE-2026-48713)
vulnerability in i18next-fs-backend (CVE-2026-48713). Data can be tampered with by attackers. Exploitable via ``missingKeyHandler``. Mitigation: upgrade to `2.6.4` or later.
|
| CVE-2026-12087 |
|
Out-of-Bounds Read in CVE-2026-12087 (CVE-2026-12087)
vulnerability in CVE-2026-12087 (CVE-2026-12087). Confidential information can be exposed externally.
|
| CVE-2026-11832 |
|
Vulnerability in CVE-2026-11832 (CVE-2026-11832)
vulnerability in CVE-2026-11832 (CVE-2026-11832). Confidential information can be exposed externally.
|
| CVE-2026-9691 |
|
Unsafe Deserialization in CVE-2026-9691 (CVE-2026-9691)
vulnerability in CVE-2026-9691 (CVE-2026-9691). Successful exploitation can lead to full system takeover.
|
| CVE-2026-52703 |
|
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
|
| CVE-2026-49769 |
|
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
|
| CVE-2026-49768 |
|
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
|
| CVE-2026-52693 |
|
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
|
| CVE-2026-49781 |
|
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
|
| CVE-2026-49776 |
|
SQL Injection in wordpress (CVE-2026-49776)
SQL injection in wordpress (CVE-2026-49776). Confidential information can be exposed externally.
|
| CVE-2026-49766 |
|
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
|
| CVE-2026-49770 |
|
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
|
| CVE-2026-49765 |
|
Unsafe Deserialization in CVE-2026-49765 (CVE-2026-49765)
vulnerability in CVE-2026-49765 (CVE-2026-49765). Successful exploitation can lead to full system takeover.
|
| CVE-2026-49764 |
|
Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
|
| CVE-2026-49763 |
|
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
|
| CVE-2026-49105 |
|
Unsafe Deserialization in CVE-2026-49105 (CVE-2026-49105)
vulnerability in CVE-2026-49105 (CVE-2026-49105). Successful exploitation can lead to full system takeover.
|
| CVE-2026-49067 |
|
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
|
| CVE-2026-49106 |
|
Unsafe Deserialization in CVE-2026-49106 (CVE-2026-49106)
vulnerability in CVE-2026-49106 (CVE-2026-49106). Successful exploitation can lead to full system takeover.
|
| CVE-2026-49104 |
|
Unsafe Deserialization in CVE-2026-49104 (CVE-2026-49104)
vulnerability in CVE-2026-49104 (CVE-2026-49104). Successful exploitation can lead to full system takeover.
|
| CVE-2026-49085 |
|
Unsafe Deserialization in CVE-2026-49085 (CVE-2026-49085)
vulnerability in CVE-2026-49085 (CVE-2026-49085). Successful exploitation can lead to full system takeover.
|
| CVE-2026-49109 |
|
Unsafe Deserialization in CVE-2026-49109 (CVE-2026-49109)
vulnerability in CVE-2026-49109 (CVE-2026-49109). Successful exploitation can lead to full system takeover.
|
| CVE-2026-48881 |
|
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
|
| CVE-2026-45439 |
|
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
|
| CVE-2026-48886 |
|
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
|
| CVE-2026-48836 |
|
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
|
| CVE-2026-42665 |
|
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
|