Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10192
Total
692
Critical
2939
High
3205
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-46408 | HIGH | 7.6 | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint … | May 15, 2026 |
| CVE-2026-46407 | HIGH | 8.1 | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token … | May 15, 2026 |
| CVE-2026-46367 | HIGH | 7.6 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can … | May 15, 2026 |
| CVE-2026-46366 | HIGH | 7.5 | phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and … | May 15, 2026 |
| CVE-2026-46365 | MEDIUM | 5.4 | phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, including … | May 15, 2026 |
| CVE-2026-46364 | CRITICAL | 9.8 | phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated … | May 15, 2026 |
| CVE-2026-46363 | MEDIUM | 5.4 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated … | May 15, 2026 |
| CVE-2026-46362 | MEDIUM | 6.5 | phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected … | May 15, 2026 |
| CVE-2026-46361 | MEDIUM | 6.9 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers … | May 15, 2026 |
| CVE-2026-46360 | MEDIUM | 5.4 | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated … | May 15, 2026 |
| CVE-2026-46359 | HIGH | 7.5 | phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers … | May 15, 2026 |
| CVE-2026-45800 | UNKNOWN | — | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an … | May 15, 2026 |
| CVE-2026-45622 | UNKNOWN | — | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an … | May 15, 2026 |
| CVE-2026-45616 | UNKNOWN | — | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is … | May 15, 2026 |
| CVE-2026-45010 | CRITICAL | 9.1 | phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or … | May 15, 2026 |
| CVE-2026-45009 | MEDIUM | 4.3 | phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status … | May 15, 2026 |
| CVE-2026-45008 | MEDIUM | 6.5 | phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences … | May 15, 2026 |
| CVE-2026-45007 | MEDIUM | 4.3 | phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata … | May 15, 2026 |
| CVE-2026-44826 | HIGH | 7.5 | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does … | May 15, 2026 |
| CVE-2026-44719 | UNKNOWN | — | Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list … | May 15, 2026 |
| CVE-2026-44718 | UNKNOWN | — | Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate … | May 15, 2026 |
| CVE-2026-44366 | MEDIUM | 6.1 | Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site … | May 15, 2026 |
| CVE-2021-47968 | MEDIUM | 6.4 | Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description … | May 15, 2026 |
| CVE-2021-47967 | MEDIUM | 6.1 | PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can … | May 15, 2026 |
| CVE-2021-47966 | HIGH | 8.2 | PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents. … | May 15, 2026 |