CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
showdocCWE-338showdoc is vulnerable to Missing Cryptographic Step
showdoc is vulnerable to Missing Cryptographic Step
showdocCWE-325CWE-347CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow
CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.
codesysCWE-122CWE-787OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page
OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page.
openplcprojectCWE-79It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additio...
It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates. The Service CA is automatically mounted into all pods, allowing them to safely connect to trusted in-cluster services that present certificates signed by the trusted Service CA. The incorrect inclusion of additional CAs in this certificate would allow an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service.
redhatCWE-287CWE-295app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
misp-projectCWE-79app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
misp-projectCWE-79app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
misp-projectCWE-79url-parse is vulnerable to URL Redirection to Untrusted Site
url-parse is vulnerable to URL Redirection to Untrusted Site
url-parse_projectCWE-601An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does n...
An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
jumpserverCWE-74A stored cross site scripting (XSS) vulnerability in the /sys/attachment/uploaderServlet component of Landray EKP V12.0.9.R.20160325 allo...
A stored cross site scripting (XSS) vulnerability in the /sys/attachment/uploaderServlet component of Landray EKP V12.0.9.R.20160325 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG, SHTML, or MHT file.
landrayCWE-79By abusing the 'install rpm info detail' command, an attacker can escape the restricted clish shell on affected versions of Ivanti Mobile...
By abusing the 'install rpm info detail' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0.
ivantiCWE-88By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core
By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0.
ivantiCWE-78Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenti...
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds.
rapid7CWE-79An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress
An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call.
tagdivCWE-79sz.chat version 4 allows injection of web scripts and HTML in the message box
sz.chat version 4 allows injection of web scripts and HTML in the message box.
forticsCWE-79A vulnerability was reported on some Lenovo Notebook systems that could allow an attacker with physical access to elevate privileges unde...
A vulnerability was reported on some Lenovo Notebook systems that could allow an attacker with physical access to elevate privileges under certain conditions during a BIOS update performed by Lenovo Vantage.
lenovoCWE-636Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker...
Some Lenovo Notebook, ThinkPad, and Lenovo Desktop systems have BIOS modules unprotected by Intel Boot Guard that could allow an attacker with physical access the ability to write to the SPI flash storage.
lenovoCWE-693A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access an...
A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
lenovoCWE-20URI.js is vulnerable to URL Redirection to Untrusted Site
URI.js is vulnerable to URL Redirection to Untrusted Site
uri.js_projectCWE-601
5.9 MEDIUM
9.8 CRITICAL
3.5 LOWWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.