Skip to main content
CVE-2025-47383 HIGH This Week

5G Fixed Wireless Access Platform Firmware versions up to - contains a vulnerability that allows attackers to cryptographic issue when a VoWiFi call is triggered from UE (CVSS 7.2).

Information Disclosure Snapdragon 820am Firmware Video Collaboration Vc3 Platform Firmware Sw5100p Firmware Sm6250 Firmware +190
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-47378 HIGH This Week

Cryptographic Issue when a shared VM reference allows HLOS to boot loader and access cert chain. [CVSS 7.1 HIGH]

Information Disclosure Fastconnect 6900 Firmware Snapdragon Xr2 5g Platform Firmware Sar2230p Firmware Snapdragon Ar1 Gen 1 Platform Firmware +67
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48641 HIGH This Week

In multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.0 HIGH]

Use After Free Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-25477 MEDIUM This Month

all-in-one workspace and an operating system. versions up to 0.26.0 is affected by url redirection to untrusted site (open redirect).

Open Redirect
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-30062 MEDIUM This Month

In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.

SQLi
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-0027 MEDIUM PATCH This Month

The ARM SMMU v3 driver in Android contains a use-after-free vulnerability in the smmu_detach_dev function that could allow a local privileged attacker to execute arbitrary code with system privileges. An attacker with high-level system access can trigger an out-of-bounds write to escalate privileges without requiring user interaction. A patch is available to address this issue.

Use After Free Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20436 MEDIUM This Month

The Nbiot SDK's wlan STA driver contains a buffer overflow vulnerability due to missing bounds checking that allows privilege escalation from System-level access. An attacker with existing System privileges can exploit this flaw without user interaction to gain elevated permissions. No patch is currently available for this vulnerability.

Privilege Escalation Nbiot Sdk
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20440 MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20444 MEDIUM This Month

Local privilege escalation in Android's display module stems from insufficient bounds checking in memory operations, allowing system-level attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability affects Android devices where an adversary with existing system privileges can exploit this flaw to further escalate their access. No patch is currently available for this issue.

Memory Corruption Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20443 MEDIUM This Month

Local privilege escalation in Android's display subsystem exploits a use-after-free memory corruption vulnerability to elevate from system-level privileges, requiring no user interaction. An attacker with pre-existing system access can trigger the memory corruption to gain complete control over the affected device. No patch is currently available to remediate this issue.

Use After Free Memory Corruption Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20441 MEDIUM This Month

Android's MAE component contains an out-of-bounds write vulnerability due to insufficient bounds checking that enables local privilege escalation for attackers with existing system-level access. This memory corruption flaw requires no user interaction and could allow a privileged malicious actor to achieve arbitrary code execution, though exploitation is currently not publicly documented. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20428 MEDIUM This Month

Improper bounds checking in Android's display subsystem enables local privilege escalation for attackers with system-level access, potentially allowing them to execute arbitrary code with elevated privileges. The vulnerability stems from an out-of-bounds write condition that requires no user interaction to exploit. No patch is currently available for this medium-severity issue.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20427 MEDIUM This Month

Android's display subsystem contains a buffer overflow vulnerability stemming from insufficient bounds validation, allowing attackers with system-level privileges to escalate their access further without user interaction. This local privilege escalation affects Android devices and requires an attacker to already possess system privileges, limiting the immediate threat scope. While no patch is currently available, the vulnerability poses a significant risk in multi-user or containerized Android environments where system compromise could lead to complete device control.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20426 MEDIUM This Month

Android's display component contains an out-of-bounds write vulnerability due to insufficient bounds checking that could allow a system-privileged attacker to escalate privileges without user interaction. The vulnerability affects devices where an adversary has already obtained system-level access, enabling potential memory corruption and further privilege elevation. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20425 MEDIUM This Month

Android's display module contains an out-of-bounds write vulnerability due to insufficient bounds validation, enabling local privilege escalation for attackers who already possess System-level access. The vulnerability requires no user interaction and could allow complete system compromise through memory corruption. No patch is currently available for this medium-severity issue.

Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-43766 MEDIUM This Month

Android versions up to 14.0 is affected by cleartext transmission of sensitive information (CVSS 6.5).

Information Disclosure Android Google
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28396 MEDIUM PATCH This Month

NocoDB versions prior to 0.301.3 fail to invalidate refresh tokens during password resets, enabling attackers with previously compromised tokens to continue generating valid session tokens despite the victim changing their password. An authenticated attacker can exploit this to maintain unauthorized access to user accounts without requiring the new credentials. This vulnerability requires prior token compromise but allows indefinite session hijacking until the stolen token naturally expires.

Information Disclosure Nocodb
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-47384 MEDIUM This Month

5G Fixed Wireless Access Platform Firmware versions up to - is affected by reachable assertion (CVSS 6.5).

Denial Of Service Qca6391 Firmware 5g Fixed Wireless Access Platform Firmware Snapdragon 690 5g Mobile Platform Firmware Wsa8835 Firmware +34
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-47371 MEDIUM This Month

5G Fixed Wireless Access Platform Firmware versions up to - is affected by reachable assertion (CVSS 6.5).

Denial Of Service Wcn3950 Firmware Snapdragon 7c Gen 2 Compute Platform Firmware Wcd9340 Firmware Wsa8830 Firmware +117
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2583 MEDIUM This Month

Stored cross-site scripting in Blocksy WordPress theme versions up to 2.1.30 allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized metadata fields. When users access pages containing injected payloads, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-20438 MEDIUM This Month

Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.4).

Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-28361 MEDIUM PATCH This Month

Nocodb versions up to 0.301.3 is affected by authorization bypass through user-controlled key (CVSS 6.3).

Authentication Bypass Nocodb
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-0012 MEDIUM This Month

Contact information exposure in Android's notification system allows local attackers to extract sensitive user data through a logic error in the setHideSensitive function, requiring no special privileges or user interaction. The vulnerability affects the ExpandableNotificationRow component where contact names can be inadvertently disclosed despite intended privacy protections. No patch is currently available for this medium-severity flaw.

Information Disclosure Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0015 MEDIUM This Month

AppOpsService.java in Android contains insufficient input validation that permits local attackers to trigger persistent denial of service without requiring elevated privileges or user interaction. An attacker can exploit multiple code paths to repeatedly crash or disable the service, degrading system functionality for legitimate users. No patch is currently available for this vulnerability.

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0014 MEDIUM This Month

Local denial of service in Android's AppOpsService allows unauthenticated attackers to trigger persistent system crashes through improper input validation in the isPackageNullOrSystem function. The vulnerability requires only local access with no special privileges or user interaction, making any app on an affected device a potential attack vector. No patch is currently available.

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0005 MEDIUM This Month

App pinning bypass in Android's KeyguardServiceDelegate allows unauthenticated local attackers to interact with restricted applications without the lock screen knowledge factor (LSKF) due to insufficient permission validation. The vulnerability enables limited information disclosure through unauthorized app access with no additional privileges or user interaction required. No patch is currently available.

Information Disclosure Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-48587 MEDIUM This Month

In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 6.2 MEDIUM]

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-48585 MEDIUM This Month

In multiple functions of ProfilingService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 6.2 MEDIUM]

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-3408 LOW POC PATCH GHSA Monitor

Open Babel versions up to 3.1.1 contain a null pointer dereference in the CDXML file handler's OBAtom::GetExplicitValence function, allowing remote attackers to crash the application through maliciously crafted files. Public exploit code exists for this vulnerability, making it a practical attack vector for denial of service. A patch is available and should be applied to all affected installations.

Denial Of Service Open Babel Babel
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-66880 MEDIUM This Month

Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5.877 allows a remote attacker to execute arbitrary code via the LoginComp (Module 2093) and SignupComp (Module 2094) modules. [CVSS 6.1 MEDIUM]

XSS RCE
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-15597 LOW POC PATCH Monitor

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. [CVSS 6.3 MEDIUM]

Information Disclosure Sqlbot
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-52564 MEDIUM PATCH This Month

Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. [CVSS 6.1 MEDIUM]

PHP Chamilo Lms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-52563 MEDIUM This Month

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. [CVSS 6.1 MEDIUM]

PHP XSS Chamilo Lms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3412 LOW POC Monitor

University Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-52476 MEDIUM PATCH This Month

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. [CVSS 6.1 MEDIUM]

PHP XSS Chamilo Lms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-52475 MEDIUM PATCH This Month

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. [CVSS 6.1 MEDIUM]

PHP XSS Chamilo Lms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-58405 MEDIUM This Month

The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. [CVSS 6.1 MEDIUM]

CSRF Clininet
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-65465 MEDIUM This Month

A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). [CVSS 6.1 MEDIUM]

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0689 MEDIUM This Month

In ExtremeCloud IQ - Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses.

Information Disclosure Extremecloud Iq Site Engine
NVD VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-3337 MEDIUM PATCH This Month

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.

AWS Aws Libcrypto Aws Lc Fips Sys Aws Lc Sys Red Hat +2
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-3403 LOW POC Monitor

A vulnerability was detected in PHPGurukul Student Record Management System 1.0. This issue affects some unknown processing of the file /edit-subject.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3402 LOW POC Monitor

A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3409 MEDIUM This Month

Remote code injection in eosphoros-ai db-gpt 0.7.5 allows unauthenticated attackers to execute arbitrary code through malicious file uploads to the Flow Import endpoint. The vulnerability exploits unsafe module loading in the file import functionality and has public exploit code available. No patch is currently available from the vendor.

Code Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-48644 MEDIUM This Month

In multiple locations, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Denial Of Service Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-48642 MEDIUM This Month

In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Information Disclosure Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-28401 MEDIUM PATCH This Month

NocoDB versions before 0.301.3 allow authenticated attackers to inject malicious JavaScript through rich text cell content that is rendered without sanitization, enabling stored cross-site scripting attacks. An attacker with user access can craft malicious payloads that execute in the browsers of other users viewing affected cells, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28398 MEDIUM PATCH This Month

Stored cross-site scripting in NocoDB versions before 0.301.3 allows authenticated users to inject malicious scripts through comments and rich text cells that execute in other users' browsers due to unsanitized HTML rendering. An attacker with login credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise other database users accessing the same NocoDB instance. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28397 MEDIUM PATCH This Month

NocoDB versions prior to 0.301.3 are vulnerable to stored cross-site scripting (XSS) through improperly sanitized comment rendering via v-html, allowing authenticated users to inject malicious scripts that execute in other users' browsers. An attacker with login access could craft malicious comments to steal session tokens, perform unauthorized actions, or deface the application interface for other users. A patch is available in version 0.301.3 and later.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28359 MEDIUM PATCH This Month

NocoDB versions prior to 0.301.3 allow authenticated Editor-role users to inject arbitrary HTML into Rich Text cells by bypassing client-side validation and sending malicious payloads directly through the API. This stored XSS vulnerability affects any NocoDB instance where untrusted users have Editor access, potentially enabling malicious script execution in the browsers of users viewing affected cells. No patch is currently available for this vulnerability.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28357 MEDIUM PATCH This Month

Stored XSS in NocoDB versions before 0.301.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers through malicious formulas in virtual cells. The vulnerability exploits unsanitized rendering of URI patterns in formula results, enabling attackers to steal session tokens, manipulate data, or perform actions on behalf of victims. No patch is currently available for affected deployments.

XSS Nocodb
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy