Skip to main content
CVE-2019-25434 MEDIUM POC This Month

SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. [CVSS 7.5 HIGH]

Denial Of Service Spotauditor Buffer Overflow Stack Overflow
NVD Exploit-DB VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2019-25436 MEDIUM POC This Month

Deviceviewer versions up to 3.12.0.1 contains a vulnerability that allows attackers to change passwords without proper validation of the old password field (CVSS 6.5).

Authentication Bypass Deviceviewer
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2019-25448 MEDIUM POC This Month

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. [CVSS 6.4 MEDIUM]

XSS Orientdb
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25437 MEDIUM POC This Month

Foscam Video Management System 1.1.6.6 contains a buffer overflow vulnerability in the UID field that allows local attackers to crash the application by supplying an excessively long string. [CVSS 6.2 MEDIUM]

Buffer Overflow Denial Of Service
NVD Exploit-DB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2019-25453 MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25454 MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25445 MEDIUM POC This Month

Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. [CVSS 6.1 MEDIUM]

PHP XSS Fiverr Clone Script
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27120 MEDIUM POC PATCH This Month

Leafkit versions up to 1.4.1 contains a vulnerability that allows attackers to XSS if there is a leaf variable in the attribute that is user controlled (CVSS 6.1).

XSS Leafkit
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25449 MEDIUM POC This Month

OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. [CVSS 6.1 MEDIUM]

XSS Orientdb
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26987 MEDIUM POC PATCH This Month

Reflected cross-site scripting in LibreNMS versions 25.12.0 and earlier allows unauthenticated remote attackers to inject malicious scripts via the email field, potentially compromising user sessions and enabling credential theft or malware distribution. Public exploit code exists for this vulnerability, and affected organizations should upgrade to version 26.2.0 or later immediately.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27009 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.

XSS AI / ML Openclaw
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-2848 MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 allows unauthenticated remote attackers to manipulate the Username parameter during registration, potentially enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2821 MEDIUM POC This Month

A weakness has been identified in Fujian Smart Integrated Management Platform System versions up to 7.5. contains a security vulnerability (CVSS 7.3).

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2820 MEDIUM POC This Month

SQL injection in Fujitsu Smart Integrated Management Platform System version 7.5 and earlier allows unauthenticated remote attackers to execute arbitrary SQL queries via the DeviceIDS parameter in the XAccessPermissionPlus.ashx endpoint. Public exploit code exists for this vulnerability, enabling potential database compromise and unauthorized data access. No patch is currently available.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-26745 MEDIUM POC This Month

OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation of the currency_symbol configuration parameter into dynamic database queries. An attacker with administrative privileges can exploit this second-order SQL injection to access or manipulate sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi Open Source Point Of Sale
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26992 MEDIUM POC PATCH This Month

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized port group names, which execute when other users view the affected port group. Public exploit code exists for this vulnerability. The issue is resolved in version 26.2.0.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-26991 MEDIUM POC PATCH This Month

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.

MySQL Redis SNMP XSS Librenms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-26993 MEDIUM POC PATCH This Month

Stored XSS in Flare file sharing platform versions 1.7.0 and below allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG or HTML files that execute when viewed in raw mode, potentially enabling session hijacking or data theft. The vulnerability stems from insufficient file content validation and sanitization during upload. Public exploit code exists; upgrade to version 1.7.1 or later to remediate.

XSS Flare
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2019-25447 MEDIUM POC This Month

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]

XSS CSRF Orientdb
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26989 MEDIUM POC PATCH This Month

Stored XSS in LibreNMS Alert Rules allows authenticated administrators to inject malicious scripts that execute when other users view the Alert Rules page, affecting versions 25.12.0 and below. Public exploit code exists for this vulnerability, though exploitation requires high-level administrative privileges and user interaction. The vulnerability has been patched in version 26.2.0.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2035 MEDIUM This Month

Remote code execution in Deciso OPNsense's backup functionality allows authenticated network-adjacent attackers to execute arbitrary commands with root privileges through insufficient input validation in the diag_backup.php file. An attacker with valid credentials can inject malicious commands into backup filename parameters to achieve code execution on the affected system. No patch is currently available for this vulnerability.

PHP RCE Command Injection
NVD GitHub
CVSS 3.0
6.8
EPSS
0.2%
CVE-2026-27125 MEDIUM PATCH This Month

Svelte versions prior to 5.51.5 improperly enumerate prototype chain properties during server-side rendering attribute spreading, allowing polluted Object.prototype properties to inject unexpected attributes into SSR output or cause rendering errors. This vulnerability affects applications using SSR where the prototype chain has been previously manipulated, though client-side rendering is unaffected. The issue requires prototype pollution as a precondition but can lead to information disclosure or denial of service in vulnerable SSR environments.

Code Injection Svelte Red Hat
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-22341 MEDIUM This Month

Booked scheduling software versions 3.0.0 and earlier contain an authentication bypass flaw that allows authenticated users to abuse alternate authentication paths or channels to gain unauthorized access. An attacker with valid credentials could exploit this vulnerability to escalate privileges or access restricted functionality without proper authorization. No patch is currently available for affected installations.

Authentication Bypass
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-26972 MEDIUM PATCH This Month

OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-27008 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.

Information Disclosure AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-56208 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= 1.0.71. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-51915 MEDIUM This Month

LiteSpeed Technologies LiteSpeed Cache litespeed-cache is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68895 MEDIUM This Month

ahachat AhaChat Messenger Marketing ahachat-messenger-marketing contains a security vulnerability (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24946 MEDIUM This Month

Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68564 MEDIUM This Month

Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68542 MEDIUM This Month

vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68050 MEDIUM This Month

Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68032 MEDIUM This Month

Passionate Brains Advanced WC Analytics advance-wc-analytics is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68028 MEDIUM This Month

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass Google
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68026 MEDIUM This Month

Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68025 MEDIUM This Month

Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68024 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68023 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify &#8211; Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify &#8211; Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68021 MEDIUM This Month

Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.5. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67993 MEDIUM This Month

Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.2.1. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67973 MEDIUM This Month

sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67969 MEDIUM This Month

knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67624 MEDIUM This Month

Missing Authorization vulnerability in Arya Dhiratara Optimize More! &#8211; Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67547 MEDIUM This Month

Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24953 MEDIUM This Month

Authenticated attackers can traverse directory restrictions in Mitchell Bennis Simple File List versions up to 6.1.15 to read files outside intended directories, requiring valid credentials but no user interaction. This path traversal vulnerability impacts confidentiality but not system integrity or availability, with no patch currently available.

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68002 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 100plugins Open User Map open-user-map allows Path Traversal.This issue affects Open User Map: from n/a through <= 1.4.16. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26329 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24944 MEDIUM This Month

Inadequate access control in weDevs Subscribe2 plugin version 10.44 and earlier permits unauthenticated attackers to bypass authorization checks and gain unauthorized access to restricted functionality. An attacker can exploit misconfigured security levels to perform actions they should not be permitted to execute, potentially exposing sensitive subscriber data or modifying plugin settings. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2350 MEDIUM This Month

Tanium Interact logs sensitive information that authenticated users can access, potentially exposing confidential data through log file inspection. The vulnerability requires valid credentials and does not allow modification or service disruption, limiting its impact to information disclosure.

Information Disclosure Interact
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1292 MEDIUM This Month

Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. [CVSS 6.5 MEDIUM]

Information Disclosure Trends
NVD
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy