CVE | THREATINT

Welcome

This is a free service provided by THREATINT. It is hosted in Europe

It contains information on publicly disclosed cyber security vulnerabilities based on data from the CVE® Program, please see the official CVE website and CVE List V5 on GitHub. Whenever applicable we also show information from the Known Exploited Vulnerabilities Catalog provided by US CISA as the authoritative source of vulnerabilities that have been exploited in the wild.

New

CVE-2026-33659: EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access: EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual H...

CVE-2026-6218: aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting: A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.

CVE-2026-32272: Craft Commerce: Blind SQL Injection via hasVariant/hasProduct: Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklis...

CVE-2026-32271: Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget: Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation cha...

CVE-2026-6216: DbGate SVG Icon String FontIcon.svelte cross site scripting: A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been discl...

Updated

CVE-2026-36922: Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.

CVE-2025-51414: In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.

CVE-2026-39645: WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability: Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.

CVE-2026-36923: Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.

CVE-2026-36946: Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php.

CISA Known Exploited Vulnerabilities

CVE-2025-60710 Microsoft Windows: Microsoft Windows contains a link following vulnerability that allows for privilege escalation

CVE-2023-36424 Microsoft Windows: Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation

CVE-2012-1854 Microsoft Visual Basic for Applications (VBA): Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.

CVE-2023-21529 Microsoft Exchange Server: Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.

CVE-2026-34621 Adobe Acrobat and Reader: Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.

Additional information

EUVD (European Union Vulnerability Database) is maintained by ENISA (European Union Agency for Cybersecurity), under the European Union’s regulatory umbrella, serving as a centralized platform for vulnerability reporting specifically aligned with the EU’s legal frameworks such as NIS2 and the Cyber Resilience Act (CRA)

EUVD complements the CVE system by aggregating CVE data, but also assigns its own EUVD IDs to vulnerabilities, offers enriched metadata tailored for EU policies and compliance, and may highlight vulnerabilities particularly relevant to the European market.

Most vulnerabilities catalogued in EUVD will have both a CVE-ID and an EUVD-ID, acting as cross-references.

euvd.enisa.europa.eu

Source: media.ccc.de/v/eh22-138-panic-at-the-cve-o-theque.

A big "thank you" goes to @pennylane.

help @ threatint.eu