Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-25960 vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent... | 7.1 | HIGH | β | 0 |
| CVE-2026-40244 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, a... | 7.1 | HIGH | β | 0 |
| CVE-2026-28072 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixFort pixfort Core pixfort-core allows Reflected XSS.This issue affects pixfort Core: from n/a t... | 7.1 | HIGH | β | 0 |
| CVE-2026-28075 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto porto allows Reflected XSS.This issue affects Porto: from n/a through <= 7.6.2. | 7.1 | HIGH | β | 0 |
| CVE-2026-25741 Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to ... | 7.1 | HIGH | β | 0 |
| CVE-2026-27638 Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to t... | 7.1 | HIGH | β | 0 |
| CVE-2026-27692 iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Re... | 7.1 | HIGH | β | 0 |
| CVE-2026-25640 Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an at... | 7.1 | HIGH | β | 0 |
| CVE-2026-29778 pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder p... | 7.1 | HIGH | β | 0 |
| CVE-2026-22048 StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.12 and 12.0.0.4 with Single Sign-on enabled and configured to use Microsoft Entra ID (formerly Azure AD) as an IdP are susceptible ... | 7.1 | HIGH | β | 0 |
| CVE-2025-67618 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4. | 7.1 | HIGH | β | 0 |
| CVE-2025-36247 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 is vulnerable to an XML external entity injection (XXE) attack when processing XML dat... | 7.1 | HIGH | β | 0 |
| CVE-2026-23099 In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: K... | 7.1 | HIGH | β | 0 |
| CVE-2025-69391 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4... | 7.1 | HIGH | β | 0 |
| CVE-2025-11791 Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Ac... | 7.1 | HIGH | β | 0 |
| CVE-2026-23102 In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few way... | 7.1 | HIGH | β | 0 |
| CVE-2026-35155 Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated lowβprivileged... | 7.1 | HIGH | β | 0 |
| CVE-2026-28459 OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Att... | 7.1 | HIGH | β | 0 |
| CVE-2026-29077 Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they ... | 7.1 | HIGH | β | 0 |
| CVE-2025-68037 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atlas Gondal Export Media URLs export-media-urls allows Reflected XSS.This issue affects Export Me... | 7.1 | HIGH | β | 0 |
| CVE-2025-68843 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordP... | 7.1 | HIGH | β | 0 |
| CVE-2025-71231 In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but t... | 7.1 | HIGH | β | 0 |
| CVE-2026-28548 Vulnerability of improper verification in the email application.Β Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 7.1 | HIGH | β | 0 |
| CVE-2026-28112 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue af... | 7.1 | HIGH | β | 0 |
| CVE-2026-25503 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ... | 7.1 | HIGH | β | 0 |
| CVE-2026-23235 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access an... | 7.1 | HIGH | β | 0 |
| CVE-2026-27757 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. A... | 7.1 | HIGH | β | 0 |
| CVE-2025-69389 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field allows Reflect... | 7.1 | HIGH | β | 0 |
| CVE-2026-25999 Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or del... | 7.1 | HIGH | β | 0 |
| CVE-2025-67972 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through ... | 7.1 | HIGH | β | 0 |
| CVE-2025-52469 Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamiloβs social network module allows an authenticated user to forcibly add ... | 7.1 | HIGH | β | 0 |
| CVE-2026-23187 In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove()... | 7.1 | HIGH | β | 0 |
| CVE-2026-2915 HP System Event Utility might allow denial of service with elevated arbitrary file writes. This potential vulnerability was remediated with HP System Event Utility version 3.2.16. | 7.1 | HIGH | β | 0 |
| CVE-2025-47378 Cryptographic Issue when a shared VM reference allows HLOS to boot loader and access cert chain. | 7.1 | HIGH | β | 0 |
| CVE-2025-66680 An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a crafted request. | 7.1 | HIGH | β | 0 |
| CVE-2019-25693 ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_... | 7.1 | HIGH | β | 0 |
| CVE-2026-32930 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated te... | 7.1 | HIGH | β | 0 |
| CVE-2026-40436 The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attack... | 7.1 | HIGH | β | 0 |
| CVE-2026-6940 radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the c... | 7.1 | HIGH | β | 0 |
| CVE-2026-33892 A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Manag... | 7.1 | HIGH | β | 0 |
| CVE-2026-25438 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Bloc... | 7.1 | HIGH | β | 0 |
| CVE-2026-23204 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use sk... | 7.1 | HIGH | β | 0 |
| CVE-2026-39362 InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetch... | 7.1 | HIGH | β | 0 |
| CVE-2026-1715 An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to modify arbitrary registry keys ... | 7.1 | HIGH | β | 0 |
| CVE-2026-1716 An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to delete arbitrary registry keys ... | 7.1 | HIGH | β | 0 |
| CVE-2026-33125 Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user account... | 7.1 | HIGH | β | 0 |
| CVE-2026-22357 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper F... | 7.1 | HIGH | β | 0 |
| CVE-2026-31484 In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs o... | 7.1 | HIGH | β | 0 |
| CVE-2026-40090 Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documen... | 7.1 | HIGH | β | 0 |
| CVE-2026-31614 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA na... | 7.1 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.