Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-31967 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while readin... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-31966 HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses refer... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-32698 OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When tha... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-2418 The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as a... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-32633 Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25752 FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets.... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-32573 Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through ... | 9.1 | CRITICAL | β | 0 |
| CVE-2025-55853 SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-32524 Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25447 Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a throug... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-4716 Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-24346 Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | 9.1 | CRITICAL | β | 0 |
| CVE-2026-4715 Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-33202 Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys dire... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-33340 LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing v... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-34952 PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any netwo... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-33475 Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repos... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-30877 baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administr... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-29103 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allo... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40575 OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enable... | 9.1 | CRITICAL | β | 0 |
| CVE-2025-59383 A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed ... | 9.1 | CRITICAL | β | 0 |
| CVE-2025-1242 The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attack... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-28697 Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injectio... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-39339 ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allow... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-28783 Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Clos... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-33286 Graphiti is a framework that sits on top of models and exposes them via a JSON:API-compliant interface. Versions prior to 1.10.2 have an arbitrary method execution vulnerability that affects Graphiti'... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-0704 In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27699 The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`Β method. A malicious FTP server can send directory li... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-26219 newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who ob... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27071 Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27843 A vulnerability exists inΒ SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applyi... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25722 Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd comm... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-34279 Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploi... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-4753 Out-of-bounds Read vulnerability in slajerek RetroDebugger.This issue affects RetroDebugger: before v0.64.72. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-4750 Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25923 my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validati... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40903 goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40887 Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-30704 The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) exposes an unprotected UART interface through accessible hardware pads on the PCB | 9.1 | CRITICAL | β | 0 |
| CVE-2025-15484 The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling complete read/write acces... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25057 MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (cou... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-26279 Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields dec... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40372 Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-33656 EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an aut... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-41193 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authent... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40324 Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A cr... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-33183 Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without va... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-5085 Solstice::Session versions through 1440 for Perl generates session ids insecurely. The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-27067 Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a thr... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40258 The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature.... | 9.1 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.