CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php
Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php.
hospital_management_system_projectCWE-79Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php
Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php.
hospital_management_system_projectCWE-862SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php
SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php.
hospital_management_system_projectCWE-89An unrestricted file upload on Simple Image Gallery Web App can be exploited to upload a web shell and executed to gain unauthorized acce...
An unrestricted file upload on Simple Image Gallery Web App can be exploited to upload a web shell and executed to gain unauthorized access to the server hosting the web app.
simple_image_gallery_web_app_projectCWE-434A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitr...
A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar.
online_catering_reservation_system_projectCWE-79A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.
exponentcmsCWE-116Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input.
crocoblockCWE-79D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification
D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.
dlinkCWE-15imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header
imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header.
imgurl_projectCWE-79In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS
In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS.
compoCWE-79In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS
In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS.
compoCWE-79TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashboard, and /admin/system_logs
TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashboard, and /admin/system_logs.
tastyigniterCWE-79The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
newsletter_projectCWE-89The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an u...
The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an unauthenticated attacker to access (view and modify) user data without authorization due to improper handling of tokens.
mitelHashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
hashicorpCWE-212HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage f...
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
hashicorpCWE-281The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ...
The remove API in v1/controller/cloudStorage/alibabaCloud/remove/index.ts in netless Agora Flat Server before 2021-07-30 mishandles file ownership.
netlessopenBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-...
openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user from hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view=).
openbarazaCWE-79A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7
A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.
fedoraprojectlinuxredhatCWE-119A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR...
A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.
fedoraprojectlinuxredhatCWE-362
6.1 MEDIUM
9.8 CRITICALWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.