CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer
Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
apacheCWE-87Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks
Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.
CWE-384DBI versions before 1.648 for Perl saved errors in a limited-sized buffer
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.
perlCWE-787An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie
An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later
qnapCWE-639Logic bypass vulnerability in the file system
Logic bypass vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-606UAF vulnerability in the package management module
UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
CWE-284UAF vulnerability in the package management module
UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity.
CWE-284DoS vulnerability in the browser kernel
DoS vulnerability in the browser kernel. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-399Race condition vulnerability in the IPC module
Race condition vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-416Out-of-bounds write vulnerability in the IPC module
Out-of-bounds write vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-122DoS vulnerability in the log service
DoS vulnerability in the log service. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-190Permission control vulnerability in the audio framework
Permission control vulnerability in the audio framework. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CWE-275Permission control vulnerability in service notifications
Permission control vulnerability in service notifications. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-264Permission control vulnerability in calls
Permission control vulnerability in calls. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-840Path traversal vulnerability in the SMS app
Path traversal vulnerability in the SMS app. Impact: Successful exploitation of this vulnerability may affect availability.
CWE-22A buffer overflow vulnerability has been reported to affect several QNAP operating system versions
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later
qnapCWE-121The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that ...
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
CWE-79A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-...
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
CWE-170CWE-787The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, ...
The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.
CWE-862A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later
qnapCWE-79
6.1 MEDIUM
9.1 CRITICAL
2.4 LOWWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.