CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in ...
The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
bitdefenderCWE-787Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, im...
Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned.
bitdefenderCWE-787CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote a...
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.
progressCWE-522CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 1...
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
progressCWE-639CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15...
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration.
progressCWE-20Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.
CWE-502Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Wa...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4.
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.
CWE-98Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via ex...
Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints.
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racq...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0.
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cook...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8.
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Ferm...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0.
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Spin...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Spin allows PHP Local File Inclusion. This issue affects Spin: from n/a through 1.8.
CWE-98Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower con...
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow network-adjacent attackers to spoof or tamper with data and cause denial-of-service conditions. Attackers with access to an enabled Infinity network port or physical proximity to a wireless access point can modify device settings such as alarm states or alarm limits, and overwhelm the system with incoming data causing the device to reboot and lose network functionality.
CWE-924Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad WP Job Portal allows Reflecte...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad WP Job Portal allows Reflected XSS. This issue affects WP Job Portal: from n/a through 2.5.1.
CWE-79Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Con...
Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.
CWE-862Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels
Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through 4.3.2.0.
CWE-862Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection
Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1.
CWE-502Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection
Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6.
CWE-502
7.8 HIGHWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.