Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4093 | UNKNOWN | — | In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the … | May 21, 2026 |
| CVE-2026-22678 | MEDIUM | 5.4 | Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged … | May 21, 2026 |
| CVE-2026-8428 | UNKNOWN | — | Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The … | May 21, 2026 |
| CVE-2026-8426 | UNKNOWN | — | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for … | May 21, 2026 |
| CVE-2026-8421 | UNKNOWN | — | Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit … | May 21, 2026 |
| CVE-2026-8417 | UNKNOWN | — | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before … | May 21, 2026 |
| CVE-2026-8352 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | May 21, 2026 |
| CVE-2026-8350 | UNKNOWN | — | Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user … | May 21, 2026 |
| CVE-2026-8205 | UNKNOWN | — | Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results … | May 21, 2026 |
| CVE-2026-8204 | UNKNOWN | — | Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar … | May 21, 2026 |
| CVE-2026-8203 | UNKNOWN | — | Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges … | May 21, 2026 |
| CVE-2026-8197 | UNKNOWN | — | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's … | May 21, 2026 |
| CVE-2026-8140 | UNKNOWN | — | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() … | May 21, 2026 |
| CVE-2026-8135 | UNKNOWN | — | Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with … | May 21, 2026 |
| CVE-2026-8134 | UNKNOWN | — | Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue … | May 21, 2026 |
| CVE-2026-6826 | UNKNOWN | — | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request … | May 21, 2026 |
| CVE-2026-47102 | HIGH | 8.8 | LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only … | May 21, 2026 |
| CVE-2026-47101 | HIGH | 8.8 | LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a … | May 21, 2026 |
| CVE-2026-4843 | MEDIUM | 4.3 | The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function … | May 21, 2026 |
| CVE-2026-47114 | HIGH | 8.8 | IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the … | May 21, 2026 |
| CVE-2026-46473 | HIGH | 7.5 | Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security … | May 21, 2026 |
| CVE-2026-48249 | MEDIUM | 5.9 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests … | May 21, 2026 |
| CVE-2026-48248 | MEDIUM | 5.9 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests … | May 21, 2026 |
| CVE-2026-48247 | MEDIUM | 5.9 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests … | May 21, 2026 |
| CVE-2026-48246 | MEDIUM | 5.9 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests … | May 21, 2026 |