Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-1800 The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via the โfmcfIdSelectedFntโ parameter in all versions up to, and including, 1.2 due to insufficient esca... | 7.5 | HIGH | โ | 0 |
| CVE-2020-37107 Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20... | 7.5 | HIGH | โ | 0 |
| CVE-2025-70758 chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.p... | 7.5 | HIGH | โ | 0 |
| CVE-2026-25564 WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-25563 WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-27018 Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patch... | 7.5 | HIGH | โ | 0 |
| CVE-2026-24491 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and trig... | 7.5 | HIGH | โ | 0 |
| CVE-2026-2468 The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplie... | 7.5 | HIGH | โ | 0 |
| CVE-2020-37150 Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wirel... | 7.5 | HIGH | โ | 0 |
| CVE-2026-33593 A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. | 7.5 | HIGH | โ | 0 |
| CVE-2026-24773 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-35245 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated... | 7.5 | HIGH | โ | 0 |
| CVE-2026-24385 Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1. | 7.5 | HIGH | โ | 0 |
| CVE-2026-35242 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileg... | 7.5 | HIGH | โ | 0 |
| CVE-2025-8590 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing.This issue affects SKSPro: through 070... | 7.5 | HIGH | โ | 0 |
| CVE-2026-27361 Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue aff... | 7.5 | HIGH | โ | 0 |
| CVE-2026-27370 Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1. | 7.5 | HIGH | โ | 0 |
| CVE-2026-25235 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verif... | 7.5 | HIGH | โ | 0 |
| CVE-2026-27374 Missing Authorization vulnerability in vanquish WooCommerce Order Details woocommerce-order-details allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommer... | 7.5 | HIGH | โ | 0 |
| CVE-2026-25575 NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated us... | 7.5 | HIGH | โ | 0 |
| CVE-2026-6781 Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | 7.5 | HIGH | โ | 0 |
| CVE-2026-27388 Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects... | 7.5 | HIGH | โ | 0 |
| CVE-2026-27406 Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive Data.This issue affects My Tickets: from n/a through <= 2.1.0. | 7.5 | HIGH | โ | 0 |
| CVE-2026-25239 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker ca... | 7.5 | HIGH | โ | 0 |
| CVE-2026-6773 Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | 7.5 | HIGH | โ | 0 |
| CVE-2026-6772 Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | 7.5 | HIGH | โ | 0 |
| CVE-2026-6766 Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | 7.5 | HIGH | โ | 0 |
| CVE-2026-40586 blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed wi... | 7.5 | HIGH | โ | 0 |
| CVE-2025-69297 Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a th... | 7.5 | HIGH | โ | 0 |
| CVE-2025-67853 A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user... | 7.5 | HIGH | โ | 0 |
| CVE-2026-25537 jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-24455 The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-6022 In Progressยฎ Telerikยฎ UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-30994 Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials. | 7.5 | HIGH | โ | 0 |
| CVE-2026-40870 Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resour... | 7.5 | HIGH | โ | 0 |
| CVE-2025-62601 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, m... | 7.5 | HIGH | โ | 0 |
| CVE-2026-30996 An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET reques... | 7.5 | HIGH | โ | 0 |
| CVE-2025-62602 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, m... | 7.5 | HIGH | โ | 0 |
| CVE-2025-62603 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that car... | 7.5 | HIGH | โ | 0 |
| CVE-2026-40881 ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra wou... | 7.5 | HIGH | โ | 0 |
| CVE-2025-64438 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory... | 7.5 | HIGH | โ | 0 |
| CVE-2026-40890 The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > characte... | 7.5 | HIGH | โ | 0 |
| CVE-2026-22016 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u... | 7.5 | HIGH | โ | 0 |
| CVE-2026-34282 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-25614 Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 7.5 | HIGH | โ | 0 |
| CVE-2026-6759 Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | 7.5 | HIGH | โ | 0 |
| CVE-2026-25499 Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in esc... | 7.5 | HIGH | โ | 0 |
| CVE-2026-33813 Parsing a WEBP image with an invalid, large size panics on 32-bit platforms. | 7.5 | HIGH | โ | 0 |
| CVE-2026-34320 Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. ... | 7.5 | HIGH | โ | 0 |
| CVE-2026-35229 Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker... | 7.5 | HIGH | โ | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.