Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10110
Total
681
Critical
2907
High
3176
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-46362 | MEDIUM | 6.5 | phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected … | May 15, 2026 |
| CVE-2026-46361 | MEDIUM | 6.9 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers … | May 15, 2026 |
| CVE-2026-46360 | MEDIUM | 5.4 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated … | May 15, 2026 |
| CVE-2026-46359 | HIGH | 7.5 | phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers … | May 15, 2026 |
| CVE-2026-45800 | UNKNOWN | — | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an … | May 15, 2026 |
| CVE-2026-45622 | UNKNOWN | — | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an … | May 15, 2026 |
| CVE-2026-45616 | UNKNOWN | — | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is … | May 15, 2026 |
| CVE-2026-45010 | CRITICAL | 9.1 | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or … | May 15, 2026 |
| CVE-2026-45009 | MEDIUM | 4.3 | phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status … | May 15, 2026 |
| CVE-2026-45008 | MEDIUM | 6.5 | phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences … | May 15, 2026 |
| CVE-2026-45007 | MEDIUM | 4.3 | phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata … | May 15, 2026 |
| CVE-2026-44826 | HIGH | 7.5 | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does … | May 15, 2026 |
| CVE-2026-44719 | UNKNOWN | — | Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list … | May 15, 2026 |
| CVE-2026-44718 | UNKNOWN | — | Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate … | May 15, 2026 |
| CVE-2026-44366 | MEDIUM | 6.1 | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site … | May 15, 2026 |
| CVE-2021-47968 | MEDIUM | 6.4 | Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description … | May 15, 2026 |
| CVE-2021-47967 | MEDIUM | 6.1 | PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can … | May 15, 2026 |
| CVE-2021-47966 | HIGH | 8.2 | PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents. … | May 15, 2026 |
| CVE-2021-47965 | CRITICAL | 9.8 | WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file … | May 15, 2026 |
| CVE-2021-47964 | HIGH | 8.8 | Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the … | May 15, 2026 |
| CVE-2021-47963 | HIGH | 7.2 | Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the … | May 15, 2026 |
| CVE-2021-47962 | MEDIUM | 6.4 | Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript … | May 15, 2026 |
| CVE-2021-47959 | HIGH | 7.5 | WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated … | May 15, 2026 |
| CVE-2021-47958 | MEDIUM | 4.3 | CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload … | May 15, 2026 |
| CVE-2026-46474 | UNKNOWN | — | Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security … | May 15, 2026 |