CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

3.1CVSS5.5AI score0.00011EPSS

CVE-2026-33212

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

3.7CVSS5.4AI score0.00029EPSS

CVE-2026-33877

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...

3.3CVSS5.4AI score0.00013EPSS

CVE-2026-33565

in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS...

4.3CVSS5.5AI score0.00032EPSS

CVE-2026-42865

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This...

CVE-2026-42873

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, when attempting to upload a file with malicious content to funcionario/docdependenteupload.php, the application responds with an overly descriptive error message. This leads to information disclosure, effectively...

5.4AI score0.00032EPSS

7.5CVSS5.4AI score0.00032EPSS

CVE-2026-42670

Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14...

5.4CVSS5.5AI score0.00011EPSS

CVE-2026-24069

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise KOP was affected before 2.8.2509.4...

RedhatCVE•added 3 days ago•4 views

CVE-2026-28860

The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A local attacker may be able to modify the state of the...

7.5CVSS5.4AI score0.00118EPSS

6.5CVSS5.5AI score0.00039EPSS

CVE-2026-28909

Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3...

7.5CVSS5.4AI score0.00049EPSS

CVE-2026-28987

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to leak sensitive kernel state...

RedhatCVE•added 3 days ago•4 views

CVE-2026-37597

SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfhattendance/admin/attendancelist.php...

2.7CVSS5.7AI score0.0003EPSS

7.3CVSS5.7AI score0.00038EPSS

CVE-2026-37337

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/viewplaylist.php...

2.7CVSS5.7AI score0.0003EPSS

CVE-2026-37590

SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/managerent.php...

9.8CVSS6AI score0.00281EPSS

CVE-2026-37709

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component...

RedhatCVE•added 3 days ago•3 views

CVE-2026-37596

SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfhattendance/admin/managedepartment.php...

2.7CVSS5.7AI score0.0003EPSS

9.8CVSS5.7AI score0.00016EPSS

CVE-2026-37345

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/managepark.php...

6.5CVSS5.9AI score0.00388EPSS

CVE-2026-31171

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi...

9.8CVSS5.9AI score0.00612EPSS

CVE-2026-31175

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi...

8.8CVSS6.2AI score0.00191EPSS

CVE-2026-31221

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability CWE-502 in the checkpoint loading mechanism. The LightningModule.loadfromcheckpoint method, which is commonly used to load saved model states, internally calls torch.load without setting the...