Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3289 | 1 Publiccms | 1 Publiccms | 2026-03-02 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-3293 | 1 Snowflake | 1 Snowflake Jdbc | 2026-03-02 | 1.7 LOW | 3.3 LOW |
|
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a ...
Show More |
|||||
| CVE-2026-27747 | 1 Spip | 1 Interface Traduction Objets | 2026-03-02 | N/A | 8.8 HIGH |
|
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_p ...
Show More |
|||||
| CVE-2026-27521 | 1 Binardat | 2 10g08-0800gsm, 10g08-0800gsm Firmware | 2026-03-02 | N/A | 7.5 HIGH |
|
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior do not implement rate limiting or account lockout on failed login attempts, enabling brute-force attacks against user credentials.
|
|||||
| CVE-2026-27517 | 1 Binardat | 2 10g08-0800gsm, 10g08-0800gsm Firmware | 2026-03-02 | N/A | 6.1 MEDIUM |
|
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior reflect unsanitized user input in the web interface, allowing an attacker to inject and execute arbitrary JavaScript in the context of an authenticated user.
|
|||||
| CVE-2026-27516 | 1 Binardat | 2 10g08-0800gsm, 10g08-0800gsm Firmware | 2026-03-02 | N/A | 7.5 HIGH |
|
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior expose user passwords in plaintext within the administrative interface and HTTP responses, allowing recovery of valid credentials.
|
|||||
| CVE-2026-27474 | 1 Spip | 1 Spip | 2026-03-02 | N/A | 6.1 MEDIUM |
|
SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.
|
|||||
| CVE-2026-26367 | 1 Jung-group | 1 Enet Smart Home | 2026-03-02 | N/A | 8.1 HIGH |
|
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permis ...
Show More |
|||||
| CVE-2026-26223 | 1 Spip | 1 Spip | 2026-03-02 | N/A | 6.1 MEDIUM |
|
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
|
|||||
| CVE-2025-71242 | 1 Spip | 1 Spip | 2026-03-02 | N/A | 6.5 MEDIUM |
|
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
|
|||||
| CVE-2025-71241 | 1 Spip | 1 Spip | 2026-03-02 | N/A | 6.1 MEDIUM |
|
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
|
|||||
| CVE-2022-50923 | 1 Cobiansoft | 1 Cobian Backup | 2026-03-02 | N/A | 7.8 HIGH |
|
Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup.
|
|||||
| CVE-2022-50917 | 1 Proton | 1 Protonvpn | 2026-03-02 | N/A | 7.8 HIGH |
|
ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup.
|
|||||
| CVE-2022-50915 | 1 Primera | 1 Ptpublisher | 2026-03-02 | N/A | 7.8 HIGH |
|
PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access.
|
|||||
| CVE-2022-50895 | 1 Aerocms Project | 1 Aerocms | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.
|
|||||
| CVE-2021-47779 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2026-03-02 | N/A | 5.4 MEDIUM |
|
Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
|
|||||
| CVE-2019-25461 | 1 Web-ofisi | 1 Ticaret | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers can send POST requests to the ajax/productsFilterSearch endpoint with malicious 'q' values using time-based blind SQL injection techniques to extract sensitive database information.
|
|||||
| CVE-2019-25460 | 1 Web-ofisi | 1 Platinum E-ticaret | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. Attackers can send requests to the arama endpoint with malicious 'q' values using time-based SQL injection techniques to extract sensitive database information.
|
|||||
| CVE-2019-25459 | 1 Web-ofisi | 1 Emlak | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into parameters like emlak_durumu, emlak_tipi, il, ilce, kelime, and semt to extract sensitive database information or perform time-based blind SQL injection attacks.
|
|||||
| CVE-2019-25458 | 1 Web-ofisi | 1 Firma Rehberi | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Web Ofisi Firma Rehberi v1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can send requests to with malicious payloads in the 'il', 'kat', or 'kelime' parameters to extract sensitive database information or perform time-based blind SQL injection attacks.
|
|||||
| CVE-2019-25457 | 1 Web-ofisi | 1 Firma | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. Attackers can send GET requests to category pages with malicious 'oz[]' values using time-based blind SQL injection payloads to extract sensitive database information.
|
|||||
| CVE-2019-25456 | 1 Web-ofisi | 1 Emlak | 2026-03-02 | N/A | 9.1 CRITICAL |
|
Web Ofisi Emlak v2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'ara' GET parameter. Attackers can send requests to with time-based SQL injection payloads to extract sensitive database information or cause denial of service.
|
|||||
| CVE-2019-25455 | 1 Web-ofisi | 1 E-ticaret | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database information.
|
|||||
| CVE-2019-25454 | 1 Phpmoadmin | 1 Phpmoadmin | 2026-03-02 | N/A | 6.1 MEDIUM |
|
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection creation to execute arbitrary JavaScript in users' browsers.
|
|||||
| CVE-2019-25452 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2026-03-02 | N/A | 7.5 HIGH |
|
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
|
|||||
| CVE-2019-25451 | 1 Phpmoadmin | 1 Phpmoadmin | 2026-03-02 | N/A | 8.8 HIGH |
|
phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action, db, and collection to create, drop, or repair databases and collections without user consent.
|
|||||
| CVE-2019-25450 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2026-03-02 | N/A | 7.5 HIGH |
|
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
|
|||||
| CVE-2019-25444 | 1 Phpscriptsmall | 1 Fiverr Clone Script | 2026-03-02 | N/A | 9.1 CRITICAL |
|
Fiverr Clone Script 1.2.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. Attackers can supply malicious SQL syntax in the page parameter to extract sensitive database information or modify database contents.
|
|||||
| CVE-2019-25442 | 1 Webwiz | 1 Web Wiz Forums | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database information.
|
|||||
| CVE-2019-25438 | 1 Agilebio | 1 Labcollector | 2026-03-02 | N/A | 7.5 HIGH |
|
LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.
|
|||||
| CVE-2019-25347 | 1 Kostasmitroglou | 1 Password Management Application | 2026-03-02 | N/A | 7.5 HIGH |
|
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts.
|
|||||
| CVE-2019-25346 | 1 Kostasmitroglou | 1 Password Management Application | 2026-03-02 | N/A | 7.5 HIGH |
|
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information.
|
|||||
| CVE-2019-25338 | 1 Dokuwiki | 1 Dokuwiki | 2026-03-02 | N/A | 5.3 MEDIUM |
|
DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.
|
|||||
| CVE-2019-25312 | 1 Inoideas | 1 Inoerp | 2026-03-02 | N/A | 5.4 MEDIUM |
|
InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the comment section that allows unauthenticated attackers to inject malicious scripts. Attackers can submit comments with JavaScript payloads that execute in other users' browsers, potentially stealing cookies and session information.
|
|||||
| CVE-2019-25298 | 1 Lolypop55 | 1 Html5 Snmp | 2026-03-02 | N/A | 9.1 CRITICAL |
|
html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads.
|
|||||
| CVE-2019-25294 | 1 Lolypop55 | 1 Html5 Snmp | 2026-03-02 | N/A | 6.1 MEDIUM |
|
html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victim browsers when the page is loaded.
|
|||||
| CVE-2026-28372 | 1 Gnu | 1 Inetutils | 2026-03-02 | N/A | 7.4 HIGH |
|
telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.
|
|||||
| CVE-2026-24892 | 1 It-novum | 1 Openitcockpit | 2026-03-02 | N/A | 7.5 HIGH |
|
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from attacker-influenced application state is unserialized without restricting allowed classes. Although no current application endpoint was found to introduce PHP objects into this data path, the presence ...
Show More |
|||||
| CVE-2026-27942 | 1 Naturalintelligence | 1 Fast-xml-parser | 2026-03-02 | N/A | 7.5 HIGH |
|
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
|
|||||
| CVE-2026-25896 | 1 Naturalintelligence | 1 Fast-xml-parser | 2026-03-02 | N/A | 9.3 CRITICAL |
|
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
|
|||||