Skip to main content
CVE-2025-15265 MEDIUM POC PATCH This Month

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. [CVSS 6.1 MEDIUM]

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22907 CRITICAL Act Now

Container management vulnerability allows authenticated users to escape to the host filesystem with read/write access. CVSS 9.9 with scope change.

Authentication Bypass Tdc X401gl Firmware
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-62193 CRITICAL Act Now

NOAA PMEL Live Access Server (LAS) has unauthenticated RCE through PyFerret SPAWN commands embedded in requests. Scientific data servers running LAS are vulnerable to complete compromise.

RCE Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-67079 CRITICAL Act Now

Omnispace Agora Project (before 25.10) allows RCE through crafted PDF upload that exploits the ImageMagick MSL engine via the thumbnail function.

File Upload Agora Project
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-70310 MEDIUM POC This Month

A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. [CVSS 5.5 MEDIUM]

Heap Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-70309 MEDIUM POC This Month

A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. [CVSS 5.5 MEDIUM]

Stack Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-70303 MEDIUM POC This Month

A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. [CVSS 5.5 MEDIUM]

Heap Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-70302 MEDIUM POC This Month

A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 5.5 MEDIUM]

Heap Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-70305 MEDIUM POC This Month

A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. [CVSS 5.5 MEDIUM]

Stack Overflow Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2021-47771 MEDIUM POC This Month

Rdp Manager versions up to 4.9.9.3 is affected by allocation of resources without limits or throttling (CVSS 5.5).

Denial Of Service Rdp Manager
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2021-47765 MEDIUM POC This Month

AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. [CVSS 5.5 MEDIUM]

Denial Of Service Absolutetelnet
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2021-47764 MEDIUM POC This Month

AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. [CVSS 5.5 MEDIUM]

Denial Of Service Absolutetelnet
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-67822 CRITICAL Act Now

Mitel MiVoice MX-ONE 7.3-7.8 SP1 has authentication bypass in the Provisioning Manager. Unauthenticated attackers can access user or admin accounts in the VoIP management system.

Authentication Bypass Mivoice Mx One
NVD
CVSS 3.1
9.4
EPSS
0.1%
CVE-2021-47843 MEDIUM POC This Month

Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. [CVSS 5.4 MEDIUM]

RCE XSS Tagstoo
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-65349 MEDIUM POC This Month

Wireless Mini Router Wireless-N 300M Firmware versions up to 28k.minirouter.20190211 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Wireless Mini Router Wireless N 300m Firmware
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23496 MEDIUM POC PATCH This Month

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. [CVSS 5.4 MEDIUM]

Authentication Bypass Web2print Tools
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67083 MEDIUM POC This Month

Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. [CVSS 5.3 MEDIUM]

Path Traversal Invoiceplane
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1002 MEDIUM POC PATCH This Month

Improper URI path normalization in Vert.x Web's static file handler allows remote attackers to manipulate the cache and deny access to static files through specially crafted request URIs containing encoded path traversal sequences. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction to cause denial of service by returning HTTP 404 responses for normally accessible files. Public exploit code exists and patches are available.

Github Vert.X Web Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-47776 MEDIUM POC This Month

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. [CVSS 5.3 MEDIUM]

SSRF Umbraco Cms
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22908 CRITICAL Act Now

Uploading unvalidated container images enables remote attackers with admin access to achieve full system compromise through malicious containers.

Information Disclosure Tdc X401gl Firmware
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-67647 CRITICAL PATCH Act Now

SvelteKit 2.19.0-2.49.4 has SSRF/DoS affecting applications with prerendered routes. Can be exploited to make the server perform arbitrary requests or become unresponsive. Patch available.

Denial Of Service Kit Adapter Node
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-1009 CRITICAL Act Now

Altium Forum has stored XSS in forum posts with scope change (CVSS 9.0). Authenticated attackers can inject JavaScript that executes in other users' sessions, including accessing Altium design tools and project data.

XSS Altium Live
NVD
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-13062 HIGH This Week

Supreme Modules Lite (WordPress plugin) versions up to 2.5.62. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67077 HIGH This Week

Agora-Project versions up to 25.10 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload Agora Project
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2021-47769 MEDIUM POC This Month

Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. [CVSS 4.8 MEDIUM]

XSS Isshue
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-61973 HIGH This Week

A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22867 HIGH PATCH This Week

Stored XSS in LaSuite Doc versions 3.8.0 through 4.3.0 allows authenticated users with document editing privileges to inject malicious JavaScript URLs into the Interlinking feature, which execute when other users click the crafted links. This vulnerability affects the collaborative documentation platform's security model by enabling arbitrary code execution in victims' browsers. A patch is available in version 4.4.0.

XSS Docs
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-23493 HIGH PATCH This Week

Pimcore versions up to 12.3.1 is affected by insertion of sensitive information into log file (CVSS 8.6).

Information Disclosure Pimcore
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-13845 HIGH This Week

CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.

RCE Use After Free Denial Of Service Memory Corruption Ecostruxure Power Build Rapsody
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-23495 MEDIUM POC PATCH This Month

Pimcore Admin Classic Bundle versions prior to 2.2.3 and 1.7.16 fail to enforce proper authorization on the Predefined Properties API endpoint, allowing authenticated backend users without explicit permissions to enumerate all property configurations. Public exploit code exists for this vulnerability. The flaw impacts any Pimcore deployment where backend user access controls rely on role-based restrictions for sensitive metadata definitions.

Authentication Bypass Admin Classic Bundle
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23494 MEDIUM POC PATCH This Month

Pimcore versions prior to 12.3.1 and 11.5.14 fail to properly validate authorization on the static routes API endpoint, allowing authenticated users without proper permissions to view sensitive route configurations including regex patterns and controller mappings. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects both PHP and Pimcore installations where backend users with limited privileges could gain unauthorized access to routing infrastructure details.

PHP Pimcore
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67823 HIGH This Week

A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. [CVSS 8.2 HIGH]

XSS Micontact Center Business Cx
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-1010 HIGH This Week

Stored XSS in Altium Workflow Engine allows authenticated users to inject malicious scripts into workflow forms that execute with administrator privileges when viewed. An attacker can exploit this to escalate privileges, create new admin accounts, steal session tokens, and perform arbitrary administrative actions. No patch is currently available for the on-premises enterprise server deployment.

XSS Privilege Escalation On Prem Enterprise Server
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-1008 HIGH This Week

Stored XSS in Altium Live user profile fields allows authenticated attackers to inject malicious scripts that execute when other users view the compromised profile, potentially enabling session hijacking or phishing attacks. The vulnerability stems from inadequate server-side input validation that fails to properly sanitize whitespace-based attribute injection techniques. Exploitation requires a valid user account and victim interaction but carries high risk due to cross-site impact affecting other platform users.

XSS Altium Live
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-67076 HIGH This Week

Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. [CVSS 7.5 HIGH]

Path Traversal Agora Project
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-9014 HIGH PATCH This Week

A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. [CVSS 7.5 HIGH]

TP-Link Null Pointer Dereference Denial Of Service Tl Wr841n Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64516 HIGH PATCH This Week

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]

Authentication Bypass Glpi
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66417 HIGH This Week

GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]

SQLi Glpi
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21917 HIGH This Week

Malformed SSL packets can trigger a Denial-of-Service condition in Juniper SRX devices running Junos OS with UTM Web-Filtering enabled, causing Forwarding Processor Card (FPC) crashes and restarts without requiring authentication. An unauthenticated network-based attacker can exploit this input validation flaw in the Web-Filtering module to disrupt device availability across affected Junos versions (23.2R2-S2 through 24.4R2). No patches are currently available for earlier Junos versions, and affected systems remain vulnerable until updates are applied.

Juniper TLS Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0227 HIGH CERT-EU This Week

Unauthenticated remote attackers can crash Palo Alto Networks PAN-OS firewalls through repeated requests, forcing the devices into maintenance mode and causing denial of service. This vulnerability affects Palo Alto firewalls and Prisma Access deployments with no available patch, creating ongoing operational risk. The attack requires no authentication or user interaction and can be exploited over the network.

Paloalto Denial Of Service Pan Os Prisma Access
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22909 HIGH This Week

TDC X401gl devices with unpatched firmware lack proper authorization controls for critical system functions, enabling unauthenticated remote attackers to arbitrarily start, stop, or delete applications and cause denial of service. This network-accessible vulnerability requires no user interaction and affects all default configurations. No patch is currently available.

Authentication Bypass Tdc X401gl Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0915 HIGH PATCH This Week

Stack memory disclosure in GNU C Library versions 2.0-2.42 allows unauthenticated remote attackers to leak sensitive stack contents via crafted DNS queries when getnetbyaddr functions are configured to use the DNS backend for network lookups. This vulnerability affects systems running vulnerable Glibc and DNS resolver combinations, with no available patch currently released.

DNS Glibc Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22803 HIGH PATCH This Week

SvelteKit versions 2.49.0 through 2.49.4 are vulnerable to denial-of-service attacks through the experimental form remote function, which fails to properly validate binary-encoded form payloads and can be exploited to exhaust server memory. An unauthenticated remote attacker can craft a malicious payload to trigger excessive memory allocation, rendering affected applications unavailable. The vulnerability is resolved in version 2.49.5.

Denial Of Service Kit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22910 HIGH This Week

TDC X401GL firmware contains hardcoded default credentials for privileged user accounts, enabling unauthenticated attackers to gain unauthorized administrative access over the network. This vulnerability affects all deployments using default configurations and could allow attackers to compromise system integrity and perform unauthorized operations. No patch is currently available.

Authentication Bypass Tdc X401gl Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21906 HIGH This Week

Juniper Junos OS SRX Series suffers a denial of service vulnerability in the packet forwarding engine when PowerMode IPsec and GRE performance acceleration are both enabled, allowing remote attackers to crash the device by sending a specially crafted ICMP packet through a GRE tunnel. The crash results in immediate traffic loss and device restart, affecting systems with both features active on vulnerable SRX platforms. No patch is currently available.

Juniper Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22775 HIGH PATCH This Week

Denial of service in Svelte devalue library versions 5.1.0 through 5.6.1 allows remote attackers to exhaust CPU and memory resources by supplying malformed input to the parse function, affecting applications that process untrusted serialized data. The vulnerability stems from insufficient validation of ArrayBuffer inputs during deserialization. Applications should upgrade to version 5.6.2 or later.

Denial Of Service Devalue
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22774 HIGH PATCH This Week

Denial of service in Svelte devalue versions 5.3.0 through 5.6.1 allows remote attackers to exhaust CPU and memory resources by supplying malformed input to the parse function, affecting applications that process untrusted data. The vulnerability stems from insufficient validation of typed array inputs before hydration, enabling attackers to trigger excessive resource consumption. Update to version 5.6.2 or later to remediate.

Denial Of Service Devalue
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21920 HIGH This Week

Denial-of-service attacks against Juniper SRX Series devices running Junos OS 23.4 through 24.4 can be triggered remotely by sending a maliciously crafted DNS request, causing the flowd process to crash and interrupt service until recovery completes. The vulnerability stems from an unchecked return value in the DNS module that allows unauthenticated, network-based attackers to exploit DNS-enabled SRX configurations without any user interaction. No patch is currently available for affected versions.

Juniper DNS Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21918 HIGH This Week

Juniper Networks Junos OS on SRX and MX Series is vulnerable to a double free condition in the flow processing daemon that an unauthenticated network attacker can trigger via a specific TCP packet sequence, causing the daemon to crash and the Fabric Routing Card to restart. This denial-of-service vulnerability affects all versions before 22.4R3-S7, 23.2 before 23.2R2-S3, 23.4 before 23.4R2-S4, and 24.2 before 24.2R2, with no patch currently available. An attacker on the network can exploit this vulnerability without authentication or user interaction to disrupt service availability.

Juniper Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21913 HIGH This Week

Unauthenticated network-based attackers can cause a denial of service on Juniper EX4000-48T, EX4000-48P, and EX4000-48MP switches by sending high-volume traffic that crashes the FXPC component and forces a device restart. The vulnerability stems from improper resource initialization in the Internal Device Manager and results in complete service outage until automatic recovery completes. Affected versions include Junos OS 24.4 before 24.4R2 and 25.2 before 25.2R1, with no patch currently available.

Juniper Denial Of Service Junos
NVD
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy