CVEs classified under CWE-488, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (23)
CVE-2025-47928 — CVSS 9.1 (critical): Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on…
CVE-2024-27455 — CVSS 9.1 (critical): In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user's ALIM session token when the user…
CVE-2025-1247 — CVSS 8.3 (high): A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection…
CVE-2024-38367 — CVSS 8.2 (high): trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f…
CVE-2023-1907 — CVSS 8.0 (high): A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to…
CVE-2026-54311 — CVSS 7.7 (high): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify…
CVE-2026-34391 — CVSS 7.5 (high): Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a…
CVE-2025-30073 — CVSS 7.5 (high): An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. The reference assigned to transactions can be reused. When completing a…
CVE-2024-5148 — CVSS 7.5 (high): A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session…
CVE-2024-6162 — CVSS 7.5 (high): A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener…
CVE-2023-6519 — CVSS 7.5 (high): Exposure of Data Element to Wrong Session vulnerability in Mia Technology Inc. MİA-MED allows Read Sensitive Strings Within an Executable…
CVE-2024-27935 — CVSS 7.2 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in…
CVE-2026-23919: For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks)…
CVE-2024-41977 — CVSS 7.1 (high): A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.1), RUGGEDCOM RM1224 LTE(4G) NAM…
CVE-2026-23646 — CVSS 6.5 (medium): OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the…
CVE-2025-2312 — CVSS 5.9 (medium): A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an…
CVE-2025-24934 — CVSS 5.4 (medium): Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its…
CVE-2024-7049 — CVSS 5.4 (medium): In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This…
CVE-2024-11094 — CVSS 5.3 (medium): The 404 Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35.17 via the…
CVE-2025-27606 — CVSS 5.1 (medium): Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances…
CVE-2024-1223 — CVSS 4.8 (medium): This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have…
CVE-2026-27492 — CVSS 4.7 (medium): Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject…
CVE-2026-14621 — CVSS 3.1 (low): A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the…