Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-39890 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/functio... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-24601 Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.6. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-24671 Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF: from n/a through <= 4.4.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27286 Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider saoshyant-slider allows Object Injection.This issue affects Saoshyant Slider: from n/a through <= 3.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27287 Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz ssquiz allows Object Injection.This issue affects SS Quiz: from n/a through <= 2.0.5. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31380 Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videoch... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-32572 Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus kata-plus allows Object Injection.This issue affects Kata Plus: from n/a through <= 1.5.3. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-32117 Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Go... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-32648 Incorrect Privilege Assignment vulnerability in Projectopia Projectopia projectopia-core allows Privilege Escalation.This issue affects Projectopia: from n/a through <= 5.1.24. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-32658 Deserialization of Untrusted Data vulnerability in wpWax HelpGent helpgent allows Object Injection.This issue affects HelpGent: from n/a through <= 2.2.5. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-39550 Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity fluent-community allows Object Injection.This issue affects FluentCommunity: from n/a through <= 1.2.15. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-39551 Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Object Injection.This issue affects FluentBoards: from n/a through <= 1.47. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-39588 Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Object Injection.This issue affects Ultimate Store Kit Elementor Addons: from ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-39596 Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through <= 1.2.8. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-52836 Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP profitori allows Privilege Escalation.This issue affects The E-Commerce ERP: from n/a through <= 2.... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-47805 Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 2.2.22. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-36057 Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33816 Memory-safety vulnerability in github.com/jackc/pgx/v5. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-35490 changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. I... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-51800 Incorrect Privilege Assignment vulnerability in Favethemes Homey homey allows Privilege Escalation.This issue affects Homey: from n/a through <= 2.4.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-27007 Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31612 Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll cbxpoll allows Object Injection.This issue affects CBX Poll: from n/a through <= 2.0.4. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3535 The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, a... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-4003 The Users manager β PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-49072 Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy mr-murphy allows Object Injection.This issue affects Mr. Murphy: from n/a through < 1.2.12.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-49073 Deserialization of Untrusted Data vulnerability in axiomthemes Sweet Dessert sweet-dessert allows Object Injection.This issue affects Sweet Dessert: from n/a through < 1.1.13. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33439 Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deseriali... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31022 Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India payu-india allows Authentication Abuse.This issue affects PayU India: from n/a through < 3.8.8. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-31052 Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page B... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-54386 Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefikβs plugin installatio... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-7077 Sharp NEC Displays (P403, P463, P553, P703, P801, X554UN, X464UN, X554UNS, X464UNV, X474HB, X464UNS, X554UNV, X555UNS, X555UNV, X754HB, X554HB, E705, E805, E905, UN551S, UN551VS, X551UHD, X651UHD, X84... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-51745 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-6389 The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the fu... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-11456 The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-44893 FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the ruleNamekey parameter in the web_acl_mgmt_Rules_Apply_post function. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-48057 Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.1... | 9.8 | CRITICAL | β | 0 |
| CVE-2016-15043 The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in resize.php file in versions up to, and including, 3.5. This makes it possible... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-64755 Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on t... | 9.8 | CRITICAL | β | 0 |
| CVE-2015-10135 The WPshop 2 β E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-26226 A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682 | 9.8 | CRITICAL | β | 0 |
| CVE-2012-10019 The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthe... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-54321 In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automati... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-47267 An issue discovered in TheGreenBow Windows Enterprise Certified VPN Client 6.52, Windows Standard VPN Client 6.87, and Windows Enterprise VPN Client 6.87 allows attackers to gain escalated privileges ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-59245 Microsoft SharePoint Online Elevation of Privilege Vulnerability | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2474 Out-of-bounds write in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition or execute code in the context of the pro... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-41913 strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-63685 Quark Cloud Drive v3.23.2 has a DLL Hijacking vulnerability. This vulnerability stems from the insecure loading of system libraries. Specifically, the application does not validate the path or signatu... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48022 Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-25176 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-23679 Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.