| CVE-2026-21983 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | high |
| CVE-2026-21961 | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | medium |
| CVE-2026-21938 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | medium |
| CVE-2026-21945 | A Blind Server-Side Request Forgery (SSRF) vulnerability exists in Oracle Java 21. The vulnerability, which leads to Denial of Service (DoS), is present in the x509 certificate path validation mechanism when the non-default system property com.sun.security.enableAIAcaIssuers is set to true. | high |
| CVE-2026-21664 | HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | medium |
| CVE-2026-21642 | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | medium |
| CVE-2025-63647 | A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | high |
| CVE-2025-55130 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | high |
| CVE-2026-0622 | Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | critical |
| CVE-2026-1245 | A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | critical |
| CVE-2025-56353 | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs... | high |
| CVE-2025-55423 | ipTIME routers A2003NS-MU 10.00.6 to 12.16.2 , N600 10.00.8 to 12.16.2, A604-V3 10.01.6 to 10.07... | critical |
| CVE-2025-36410 | IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions... | low |
| CVE-2025-36408 | IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an... | medium |
| CVE-2025-36396 | IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This... | medium |
| CVE-2025-33233 | NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could... | high |
| CVE-2025-33231 | NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading... | high |
| CVE-2025-33230 | NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker... | high |
| CVE-2025-67263 | Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | medium |
| CVE-2025-67261 | Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | critical |
| CVE-2025-33228 | NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | high |
| CVE-2025-65482 | An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | critical |
| CVE-2025-64087 | A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | critical |
| CVE-2025-36419 | IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. | medium |
| CVE-2025-36418 | IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges. | high |
| CVE-2025-36409 | IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | medium |
| CVE-2025-36397 | IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | medium |
| CVE-2025-36115 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | medium |
| CVE-2025-36113 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | medium |
| CVE-2025-36066 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | medium |
| CVE-2025-36065 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | medium |
| CVE-2025-36059 | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls. | high |
| CVE-2025-36058 | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map. | medium |
| CVE-2026-0726 | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object... | high |
| CVE-2026-0548 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to... | medium |
| CVE-2025-55071 | A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality... | medium |
| CVE-2025-54861 | A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality... | medium |
| CVE-2025-9466 | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition.... | high |
| CVE-2025-9465 | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition.... | high |
| CVE-2025-9281 | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition.... | high |
| CVE-2025-9279 | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition.... | high |
| CVE-2025-54853 | A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of... | medium |
| CVE-2025-54817 | A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of... | medium |
| CVE-2025-54814 | A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter... | medium |
| CVE-2025-54157 | A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality... | medium |
| CVE-2025-14376 | A security issue was discovered within the legacy ADI server component of Verve Asset Manager,... | high |
| CVE-2025-14115 | IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0... | high |
| CVE-2025-12985 | IBM Licensing Operator incorrectly assigns privileges to security critical files which could... | high |
| CVE-2025-41081 | Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability... | medium |
| CVE-2026-0608 | The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | medium |
