Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,661 - 8,680 of 13,828 CVEs
CVE-2026-33688 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames an...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33685 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel na...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33683 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` f...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-4593 MEDIUM - 6.3

A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initi...

Published: Mar 23, 2026
Source: NVD
CVE-2026-30007 MEDIUM - 6.2

XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file

Vendor: xnview
Product: nconvert
Published: Mar 23, 2026
Source: NVD
CVE-2026-30006 MEDIUM - 6.2

XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun via a crafted .tiff file.

Vendor: xnview
Product: nconvert
Published: Mar 23, 2026
Source: NVD
CVE-2026-4592 MEDIUM - 5.6

A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is possi...

Published: Mar 23, 2026
Source: NVD
CVE-2026-4591 MEDIUM - 4.7

A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit ha...

Published: Mar 23, 2026
Source: NVD
CVE-2024-51226 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Search parameter.

Vendor: phpgurukul
Product: vehicle_record_management_system
Published: Mar 23, 2026
Source: NVD
CVE-2024-51225 MEDIUM - 4.8

A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the brandname parameter.

Vendor: phpgurukul
Product: vehicle_record_management_system
Published: Mar 23, 2026
Source: NVD
CVE-2024-51224 MEDIUM - 4.8

Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the vehiclename, modelnumber, regnumber, vehiclesubtype, cha...

Vendor: phpgurukul
Product: vehicle_record_management_system
Published: Mar 23, 2026
Source: NVD
CVE-2024-51223 MEDIUM - 4.8

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Mobile Number parameter.

Vendor: phpgurukul
Product: vehicle_record_management_system
Published: Mar 23, 2026
Source: NVD
CVE-2024-51222 MEDIUM - 4.8

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.

Vendor: phpgurukul
Product: vehicle_record_management_system
Published: Mar 23, 2026
Source: NVD
CVE-2026-4647 MEDIUM - 6.1

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause t...

Vendor: gnu
Product: binutils
Published: Mar 23, 2026
Source: NVD
CVE-2026-4589 MEDIUM - 6.3

A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side request forgery. The ...

Published: Mar 23, 2026
Source: NVD
CVE-2026-3635 MEDIUM - 6.1

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection โ€” in...

Vendor: npm
Product: fastify
Published: Mar 23, 2026
Source: NVD
CVE-2019-25625 MEDIUM - 6.2

Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application to read it, causing t...

Vendor: Pixarra
Product: Blob Studio
Published: Mar 23, 2026
Source: NVD
CVE-2019-25624 MEDIUM - 6.2

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the application...

Vendor: Pixarra
Product: Liquid Studio
Published: Mar 23, 2026
Source: NVD
CVE-2019-25623 MEDIUM - 6.2

Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to process the input, cau...

Vendor: Pixarra
Product: Luminance Studio
Published: Mar 23, 2026
Source: NVD
CVE-2019-25622 MEDIUM - 6.2

Paint Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of characters and trigger the application to read it, causing the appli...

Vendor: Pixarra
Product: Paint Studio
Published: Mar 23, 2026
Source: NVD