Search
23,984 CVEs · Medium severity
CVEs (23,984, showing first 500)
Only the first 500 CVEs (by current sort) are shown when searching without a keyword. Add a search term above to narrow the results.
Showing 1–25 of 23,984 (capped at 500)
| CVE ID | Severity | Patch | CVSS ↓ | Published | Description |
|---|---|---|---|---|---|
| CVE-2026-46361 | MEDIUM | Patched | 6.9 | 2026-05-15 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, d… |
| CVE-2026-37503 | MEDIUM | Patched | 6.9 | 2026-05-01 | Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.bl… |
| CVE-2026-41238 | MEDIUM | 6.9 | 2026-04-23 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. Whe… | |
| CVE-2026-41527 | MEDIUM | Patched | 6.9 | 2026-04-21 | KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ens… |
| CVE-2026-41253 | MEDIUM | Patched | 6.9 | 2026-04-18 | In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is va… |
| CVE-2026-39963 | MEDIUM | Patched | 6.9 | 2026-04-15 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_H… |
| CVE-2026-37980 | MEDIUM | 6.9 | 2026-04-14 | A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileg… | |
| CVE-2026-40446 | MEDIUM | 6.9 | 2026-04-13 | Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115… | |
| CVE-2026-28553 | MEDIUM | 6.9 | 2026-04-13 | Vulnerability of improper permission control in the theme setting module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |
| CVE-2026-34530 | MEDIUM | Patched | 6.9 | 2026-04-01 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA in… |
| CVE-2026-32041 | MEDIUM | Patched | 6.9 | 2026-03-19 | OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without aut… |
| CVE-2025-68482 | MEDIUM | Patched | 6.9 | 2026-03-10 | A improper certificate validation vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnaly… |
| CVE-2026-28690 | MEDIUM | Patched | 6.9 | 2026-03-10 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerabili… |
| CVE-2026-24922 | MEDIUM | 6.9 | 2026-02-06 | Buffer overflow vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect availability. | |
| CVE-2026-25210 | MEDIUM | Patched | 6.9 | 2026-01-30 | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. |
| CVE-2025-68933 | MEDIUM | Patched | 6.9 | 2026-01-28 | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_owner… |
| CVE-2025-8386 | MEDIUM | 6.9 | 2025-11-15 | The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-sit… | |
| CVE-2025-42895 | MEDIUM | 6.9 | 2025-11-11 | Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that … | |
| CVE-2025-52662 | MEDIUM | Patched | 6.9 | 2025-11-07 | A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All user… |
| CVE-2025-63675 | MEDIUM | Patched | 6.9 | 2025-10-31 | cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py. |
| CVE-2025-62414 | MEDIUM | Patched | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS).… |
| CVE-2025-62415 | MEDIUM | Patched | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) t… |
| CVE-2025-62418 | MEDIUM | Patched | 6.9 | 2025-10-16 | Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) t… |
| CVE-2025-42946 | MEDIUM | 6.9 | 2025-08-12 | Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in… | |
| CVE-2025-52586 | MEDIUM | 6.9 | 2025-08-08 | The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow a… |