Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-41455 WeKan beforeΒ 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination val... | 8.5 | HIGH | β | 0 |
| CVE-2026-41454 WeKan beforeΒ 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privileg... | 8.3 | HIGH | β | 0 |
| CVE-2026-41314 pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires ... | N/A | NONE | β | 0 |
| CVE-2026-41313 pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a ... | N/A | NONE | β | 0 |
| CVE-2026-41312 pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires ... | N/A | NONE | β | 0 |
| CVE-2026-41177 Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-41175 Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in Grap... | 8.1 | HIGH | β | 0 |
| CVE-2026-41172 Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server t... | N/A | NONE | β | 0 |
| CVE-2026-41171 Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection... | N/A | NONE | β | 0 |
| CVE-2026-41170 Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an a... | N/A | NONE | β | 0 |
| CVE-2026-40517 radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with n... | 7.8 | HIGH | β | 0 |
| CVE-2026-41168 pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-refe... | N/A | NONE | β | 0 |
| CVE-2026-41167 Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directl... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-41166 OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users ... | 7.0 | HIGH | β | 0 |
| CVE-2026-41134 Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/de... | N/A | NONE | β | 0 |
| CVE-2026-40937 RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions`... | 8.3 | HIGH | β | 0 |
| CVE-2026-40882 OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who... | 7.6 | HIGH | β | 0 |
| CVE-2026-3837 An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter im... | N/A | NONE | β | 0 |
| CVE-2026-34068 nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-34067 nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != p... | 3.1 | LOW | β | 0 |
| CVE-2026-33733 EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass th... | 7.2 | HIGH | β | 0 |
| CVE-2026-33656 EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an aut... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-6019 http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the gene... | N/A | NONE | β | 0 |
| CVE-2026-3673 An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpo... | N/A | NONE | β | 0 |
| CVE-2026-34066 nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTra... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34065 nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcin... | 7.5 | HIGH | β | 0 |
| CVE-2026-34064 nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_b... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34063 Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34062 nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer ca... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33471 nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each ... | 9.6 | CRITICAL | β | 0 |
| CVE-2026-41469 Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template ... | 5.2 | MEDIUM | β | 0 |
| CVE-2026-41468 Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these pr... | 8.7 | HIGH | β | 0 |
| CVE-2026-41459 Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the applicatio... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34415 Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an in... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-34414 Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in ren... | 7.1 | HIGH | β | 0 |
| CVE-2026-34413 Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauth... | 8.6 | HIGH | β | 0 |
| CVE-2026-28950 A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly r... | N/A | NONE | β | 0 |
| CVE-2026-26354 Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13.1.0 ... | 8.1 | HIGH | β | 0 |
| CVE-2026-6515 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incor... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-5816 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript... | 8.0 | HIGH | β | 0 |
| CVE-2026-5377 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in publ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5262 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unau... | 8.0 | HIGH | β | 0 |
| CVE-2026-4922 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute... | 8.1 | HIGH | β | 0 |
| CVE-2026-3254 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into... | 3.5 | LOW | β | 0 |
| CVE-2026-35382 Rejected reason: Voluntarily withdrawn | N/A | NONE | β | 0 |
| CVE-2026-35381 A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The imp... | 3.3 | LOW | β | 0 |
| CVE-2026-35380 A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenly... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-35379 A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space chara... | 3.3 | LOW | β | 0 |
| CVE-2026-35378 A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw ... | 3.3 | LOW | β | 0 |
| CVE-2026-35377 A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In GNU env, backslashes within single quote... | 3.3 | LOW | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.