CVEs classified under CWE-943, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (45)
CVE-2026-40141 — CVSS 9.9 (critical): A high-severity vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access related to…
CVE-2024-4872 — CVSS 9.9 (critical): A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated…
CVE-2026-41274 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node…
CVE-2026-40351 — CVSS 9.8 (critical): FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion…
CVE-2026-32248 — CVSS 9.8 (critical): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38…
CVE-2026-29793 — CVSS 9.8 (critical): Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42…
CVE-2026-45689 — CVSS 9.1 (critical): Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5…
CVE-2026-45688 — CVSS 9.1 (critical): Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5…
CVE-2026-41328 — CVSS 9.1 (critical): Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an…
CVE-2026-41327 — CVSS 9.1 (critical): Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an…
CVE-2026-40352 — CVSS 8.8 (high): FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An…
CVE-2018-7829 — CVSS 8.8 (high): An Improper Neutralization of Special Elements in Query vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra…
CVE-2017-12904 — CVSS 8.8 (high): Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows…
CVE-2026-47835 — CVSS 8.6 (high): In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and…
CVE-2025-24787 — CVSS 8.6 (high): WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database…
CVE-2026-33980 — CVSS 8.3 (high): Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure…
CVE-2026-46591 — CVSS 8.2 (high): Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer…
CVE-2026-32247 — CVSS 8.1 (high): Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher…
CVE-2026-28211 — CVSS 7.8 (high): The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions…
CVE-2026-22558 — CVSS 7.7 (high): An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access…
CVE-2026-44840 — CVSS 7.5 (high): Dgraph is an open source distributed GraphQL database. Prior to version 25.3.4, the `checkUserPassword` GraphQL query in Dgraph is…
CVE-2026-30941 — CVSS 7.5 (high): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1…
CVE-2026-10698 — CVSS 7.2 (high): Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This…
CVE-2026-53674 — CVSS 7.1 (high): BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility…
CVE-2026-42156: Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to…
CVE-2026-40102 — CVSS 6.5 (medium): Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment…
CVE-2026-42316 — CVSS 6.5 (medium): kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3…
CVE-2026-25591 — CVSS 6.5 (medium): New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10…
CVE-2025-36442 — CVSS 6.5 (medium): IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service…
CVE-2025-36366 — CVSS 6.5 (medium): IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that…
CVE-2025-42884 — CVSS 6.5 (medium): SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI…
CVE-2021-1349 — CVSS 6.5 (medium): A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to…
CVE-2025-36353 — CVSS 6.2 (medium): IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a…
CVE-2025-36185 — CVSS 6.2 (medium): IBM Db2 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a local user to cause a denial of…
CVE-2026-41696 — CVSS 5.9 (medium): Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the…
CVE-2021-34712 — CVSS 5.4 (medium): A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to…
CVE-2026-34973 — CVSS 5.3 (medium): phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php…
CVE-2026-30833 — CVSS 5.3 (medium): Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2…
CVE-2025-33114 — CVSS 5.3 (medium): IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to denial of service with a specially crafted query under certain non-default…
CVE-2024-35136 — CVSS 5.3 (medium): IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service…
CVE-2026-41697 — CVSS 4.8 (medium): Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING…
CVE-2025-23292 — CVSS 4.6 (medium): NVIDIA Delegated Licensing Service for all appliance platforms contains a SQL injection vulnerability where an User/Attacker may cause an…
CVE-2026-33566 — CVSS 4.3 (medium): There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of…
CVE-2021-1481 — CVSS 4.3 (medium): A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker…
CVE-2026-0504 — CVSS 3.8 (low): Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially…