Latest CVE Feed
-
7.5
HIGHCVE-2026-25650
MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.... Read more
Affected Products : mcp_salesforce_connector- Published: Feb. 06, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Information Disclosure
-
5.4
MEDIUMCVE-2026-25647
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a... Read more
Affected Products : siyuan- Published: Feb. 06, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2026-1769
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2... Read more
- Published: Feb. 06, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
8.2
HIGHCVE-2026-23989
REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "ar... Read more
Affected Products : opencloud_reva- Published: Feb. 06, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2026-24903
OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaS... Read more
Affected Products : orcastatllm_researcher- Published: Feb. 06, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2026-24851
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to im... Read more
- Published: Feb. 06, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2026-26745
OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL ... Read more
Affected Products : open_source_point_of_sale- Published: Feb. 20, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-2822
A security vulnerability has been detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file /jeecgboot/sys/dict/loadDict/airag_app,1,create_by of the component Backend Interface. Such manipulation of the argument keyword l... Read more
Affected Products : jeecg_boot- Published: Feb. 20, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2019-25454
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the co... Read more
Affected Products : phpmoadmin- Published: Feb. 20, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2019-25453
phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moa... Read more
Affected Products : phpmoadmin- Published: Feb. 20, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
9.8
CRITICALCVE-2026-2690
A flaw has been found in itsourcecode Event Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login of the component Admin Login. This manipulation of the argument Username causes sql inje... Read more
Affected Products : event_management_system- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Injection
-
8.8
HIGHCVE-2026-26746
OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file... Read more
Affected Products : open_source_point_of_sale- Published: Feb. 20, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Path Traversal
-
6.1
MEDIUMCVE-2025-62326
HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit.... Read more
Affected Products : digital_experience- Published: Feb. 20, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting
-
9.8
CRITICALCVE-2026-2689
A vulnerability was detected in itsourcecode Event Management System 1.0. Affected is an unknown function of the file /admin/manage_booking.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exp... Read more
Affected Products : event_management_system- Published: Feb. 19, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Injection
-
9.8
CRITICALCVE-2019-25364
MailCarrier 2.51 contains a buffer overflow vulnerability in the POP3 USER command that allows remote attackers to execute arbitrary code. Attackers can send a crafted oversized buffer to the POP3 service, overwriting memory and potentially gaining remote... Read more
Affected Products : mailcarrier- Published: Feb. 18, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Memory Corruption
-
6.2
MEDIUMCVE-2019-25326
ipPulse 1.92 contains a denial of service vulnerability that allows local attackers to crash the application by providing an oversized input in the Enter Key field. Attackers can generate a 256-byte buffer of repeated 'A' characters to trigger an applicat... Read more
Affected Products : ippulse- Published: Feb. 18, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Denial of Service
-
8.0
HIGHCVE-2025-70329
TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteS... Read more
- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-69700
Tenda FH1203 V2.0.1.6 contains a stack-based buffer overflow vulnerability in the modify_add_client_prio function, which is reachable via the formSetClientPrio CGI handler.... Read more
- Published: Feb. 23, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2026-24853
Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Ho... Read more
Affected Products : caido- Published: Feb. 13, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Server-Side Request Forgery
-
0.0
NACVE-2025-46320
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7.... Read more
Affected Products :- Published: Feb. 24, 2026
- Modified: Feb. 24, 2026
- Vuln Type: Cross-Site Scripting