Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-38528 Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | 7.1 | HIGH | — | 0 |
| CVE-2018-25165 Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. Attack... | 7.1 | HIGH | — | 0 |
| CVE-2026-23315 In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in ... | 7.1 | HIGH | — | 0 |
| CVE-2025-10559 A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read ... | 7.1 | HIGH | — | 0 |
| CVE-2026-32528 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29. | 7.1 | HIGH | — | 0 |
| CVE-2019-25707 eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send... | 7.1 | HIGH | — | 0 |
| CVE-2026-23204 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use sk... | 7.1 | HIGH | — | 0 |
| CVE-2026-39976 Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT... | 7.1 | HIGH | — | 0 |
| CVE-2026-4162 The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perf... | 7.1 | HIGH | — | 0 |
| CVE-2026-34053 OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/... | 7.1 | HIGH | — | 0 |
| CVE-2026-28825 An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to modify protected par... | 7.1 | HIGH | — | 0 |
| CVE-2025-68852 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reserv... | 7.1 | HIGH | — | 0 |
| CVE-2026-41299 OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket hand... | 7.1 | HIGH | — | 0 |
| CVE-2026-22357 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper F... | 7.1 | HIGH | — | 0 |
| CVE-2026-28747 A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed. | 7.1 | HIGH | — | 0 |
| CVE-2025-15381 In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including... | 7.1 | HIGH | — | 0 |
| CVE-2018-25201 School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username para... | 7.1 | HIGH | — | 0 |
| CVE-2026-24980 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Visionary Core noo-visionary-core allows Reflected XSS.This issue affects Visionary Core:... | 7.1 | HIGH | — | 0 |
| CVE-2026-31626 In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using unini... | 7.1 | HIGH | — | 0 |
| CVE-2026-23269 In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into... | 7.1 | HIGH | — | 0 |
| CVE-2026-35167 Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version s... | 7.1 | HIGH | — | 0 |
| CVE-2019-25638 Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. A... | 7.1 | HIGH | — | 0 |
| CVE-2026-28073 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through... | 7.1 | HIGH | — | 0 |
| CVE-2026-26103 A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivi... | 7.1 | HIGH | — | 0 |
| CVE-2026-35183 Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/... | 7.1 | HIGH | — | 0 |
| CVE-2026-25346 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Exploiting Incorrectly Configured Access Control Se... | 7.1 | HIGH | — | 0 |
| CVE-2026-25373 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a... | 7.1 | HIGH | — | 0 |
| CVE-2026-25435 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issu... | 7.1 | HIGH | — | 0 |
| CVE-2026-34828 listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessio... | 7.1 | HIGH | — | 0 |
| CVE-2026-35170 openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-buffer-overflow read vulnerability exists in BitParser::parseHeader() that allows out-of-bounds heap memory access when ... | 7.1 | HIGH | — | 0 |
| CVE-2026-24369 Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0. | 7.1 | HIGH | — | 0 |
| CVE-2026-5444 A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned a... | 7.1 | HIGH | — | 0 |
| CVE-2026-34476 Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes ... | 7.1 | HIGH | — | 0 |
| CVE-2026-28460 OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell lin... | 7.1 | HIGH | — | 0 |
| CVE-2026-32000 OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers... | 7.1 | HIGH | — | 0 |
| CVE-2026-32017 OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins policy that allows attackers to write arbitrary files using short-option payloads. Attackers can byp... | 7.1 | HIGH | — | 0 |
| CVE-2026-5809 The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action hand... | 7.1 | HIGH | — | 0 |
| CVE-2026-40024 The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted f... | 7.1 | HIGH | — | 0 |
| CVE-2026-23973 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo golo allows Reflected XSS.This issue affects Golo: from n/a through < 1.7.5. | 7.1 | HIGH | — | 0 |
| CVE-2026-23434 In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlo... | 7.1 | HIGH | — | 0 |
| CVE-2026-31568 In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exception... | 7.1 | HIGH | — | 0 |
| CVE-2026-25018 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan NaturaLife Extensions naturalife-extensions allows Reflected XSS.This issue affects NaturaL... | 7.1 | HIGH | — | 0 |
| CVE-2026-22175 OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers lik... | 7.1 | HIGH | — | 0 |
| CVE-2026-32529 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Molla molla allows Reflected XSS.This issue affects Molla: from n/a through < 1.5.19. | 7.1 | HIGH | — | 0 |
| CVE-2026-2368 An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code. | 7.1 | HIGH | — | 0 |
| CVE-2026-25342 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kutethemes Boutique kute-boutique allows Reflected XSS.This issue affects Boutique: from n/a throu... | 7.1 | HIGH | — | 0 |
| CVE-2026-1264 IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 allows a remote unauthenticated attacker to view ... | 7.1 | HIGH | — | 0 |
| CVE-2026-41270 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Funct... | 7.1 | HIGH | — | 0 |
| CVE-2026-41272 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side... | 7.1 | HIGH | — | 0 |
| CVE-2026-40518 ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers... | 7.1 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.