Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-39466 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind... | 7.6 | HIGH | β | 0 |
| CVE-2026-32728 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the fi... | 7.6 | HIGH | β | 0 |
| CVE-2026-34529 File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Brow... | 7.6 | HIGH | β | 0 |
| CVE-2026-39369 WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... | 7.6 | HIGH | β | 0 |
| CVE-2026-42646 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Burge TaxoPress simple-tags allows Blind SQL Injection.This issue affects TaxoPress: from n/... | 7.6 | HIGH | β | 0 |
| CVE-2025-8589 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS.This issue... | 7.6 | HIGH | β | 0 |
| CVE-2026-32459 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Blind SQL Injection.This issue affects Ups... | 7.6 | HIGH | β | 0 |
| CVE-2026-32358 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar:... | 7.6 | HIGH | β | 0 |
| CVE-2025-40587 A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in docume... | 7.6 | HIGH | β | 0 |
| CVE-2026-39475 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Fee... | 7.6 | HIGH | β | 0 |
| CVE-2026-22011 Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allow... | 7.6 | HIGH | β | 0 |
| CVE-2025-14914 IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1Β could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading ... | 7.6 | HIGH | β | 0 |
| CVE-2026-32458 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 WOLF bulk-editor allows Blind SQL Injection.This issue affects WOLF: from n/a through <... | 7.6 | HIGH | β | 0 |
| CVE-2025-14343 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Comm... | 7.6 | HIGH | β | 0 |
| CVE-2026-26010 OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres... | 7.6 | HIGH | β | 0 |
| CVE-2026-29053 Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in... | 7.6 | HIGH | β | 0 |
| CVE-2026-32101 StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but... | 7.6 | HIGH | β | 0 |
| CVE-2026-30918 facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP... | 7.6 | HIGH | β | 0 |
| CVE-2026-28136 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.1... | 7.6 | HIGH | β | 0 |
| CVE-2025-8461 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS.This issue affects syWEB: through 03022026.Β NOT... | 7.6 | HIGH | β | 0 |
| CVE-2026-40589 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer i... | 7.6 | HIGH | β | 0 |
| CVE-2026-32117 The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / win... | 7.6 | HIGH | β | 0 |
| CVE-2026-25802 New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRend... | 7.6 | HIGH | β | 0 |
| CVE-2025-70963 Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each userβs long-lived API key directly inside the rendered HTML/JavaScript of the page on every login.... | 7.6 | HIGH | β | 0 |
| CVE-2026-30919 facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS (also known as persistent or second-order XSS) occurs when an application receives data from a... | 7.6 | HIGH | β | 0 |
| CVE-2025-8456 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected ... | 7.6 | HIGH | β | 0 |
| CVE-2026-25378 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection.This issue affects Nel... | 7.6 | HIGH | β | 0 |
| CVE-2026-23775 Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of... | 7.6 | HIGH | β | 0 |
| CVE-2026-33636 LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and... | 7.6 | HIGH | β | 0 |
| CVE-2026-32055 OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks po... | 7.6 | HIGH | β | 0 |
| CVE-2026-33718 OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The... | 7.6 | HIGH | β | 0 |
| CVE-2026-2469 Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() functio... | 7.6 | HIGH | β | 0 |
| CVE-2025-67102 A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. | 7.6 | HIGH | β | 0 |
| CVE-2026-34367 InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnera... | 7.6 | HIGH | β | 0 |
| CVE-2026-1046 Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a userβs system via the user clicking on... | 7.6 | HIGH | β | 0 |
| CVE-2026-41297 OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalida... | 7.6 | HIGH | β | 0 |
| CVE-2025-33238 NVIDIA Triton Inference Server Sagemaker HTTP server contains a vulnerability where an attacker may cause an exception. A successful exploit of this vulnerability may lead to denial of service. | 7.5 | HIGH | β | 0 |
| CVE-2026-40073 SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit a... | 7.5 | HIGH | β | 0 |
| CVE-2026-26171 Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network. | 7.5 | HIGH | β | 0 |
| CVE-2026-34483 Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10... | 7.5 | HIGH | β | 0 |
| CVE-2025-50667 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the iface parameter in the /wan_line_detection.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2025-50668 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the s parameter in the /web_list_opt.asp endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2026-35525 LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is i... | 7.5 | HIGH | β | 0 |
| CVE-2026-40177 ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerabili... | 7.5 | HIGH | β | 0 |
| CVE-2026-32178 Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network. | 7.5 | HIGH | β | 0 |
| CVE-2026-23869 A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0... | 7.5 | HIGH | β | 0 |
| CVE-2026-34297 Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable ... | 7.5 | HIGH | β | 0 |
| CVE-2026-35203 ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying... | 7.5 | HIGH | β | 0 |
| CVE-2026-39889 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function ... | 7.5 | HIGH | β | 0 |
| CVE-2026-5087 PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom de... | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.