Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-26139 Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. | 8.6 | HIGH | β | 0 |
| CVE-2026-31998 OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attack... | 8.6 | HIGH | β | 0 |
| CVE-2025-8587 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affect... | 8.6 | HIGH | β | 0 |
| CVE-2026-0007 In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no add... | 8.6 | HIGH | β | 0 |
| CVE-2026-25085 A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the authentication routine is later on processed as a legitimate value, resulting in an... | 8.6 | HIGH | β | 0 |
| CVE-2025-32008 Out-of-bounds write in the firmware for the Intel(R) AMT and Intel(R) Standard Manageability within Ring 3: User Applications may allow a denial of service. Network adversary with an unauthenticated u... | 8.6 | HIGH | β | 0 |
| CVE-2025-4686 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assess... | 8.6 | HIGH | β | 0 |
| CVE-2025-7799 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS.This... | 8.6 | HIGH | β | 0 |
| CVE-2026-25545 Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `... | 8.6 | HIGH | β | 0 |
| CVE-2025-7631 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. C... | 8.6 | HIGH | β | 0 |
| CVE-2026-25748 authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Pro... | 8.6 | HIGH | β | 0 |
| CVE-2026-26938 Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) exists in Workflows in Kibana which could allow an attacker to read arbitrary files from the Kibana server filesystem, ... | 8.6 | HIGH | β | 0 |
| CVE-2026-28508 Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any... | 8.6 | HIGH | β | 0 |
| CVE-2026-25965 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagickβs path security policy is enforced on the raw filen... | 8.6 | HIGH | β | 0 |
| CVE-2026-26125 Payment Orchestrator Service Elevation of Privilege Vulnerability | 8.6 | HIGH | β | 0 |
| CVE-2026-20082 A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming... | 8.6 | HIGH | β | 0 |
| CVE-2026-32422 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP Easy... | 8.5 | HIGH | β | 0 |
| CVE-2026-27428 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eagle-Themes Eagle Booking eagle-booking allows SQL Injection.This issue affects Eagle Booking: fr... | 8.5 | HIGH | β | 0 |
| CVE-2026-24959 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk:... | 8.5 | HIGH | β | 0 |
| CVE-2025-67733 Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for ... | 8.5 | HIGH | β | 0 |
| CVE-2026-30242 Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace... | 8.5 | HIGH | β | 0 |
| CVE-2026-41230 Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in t... | 8.5 | HIGH | β | 0 |
| CVE-2026-5173 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke un... | 8.5 | HIGH | β | 0 |
| CVE-2026-34747 Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL q... | 8.5 | HIGH | β | 0 |
| CVE-2026-34352 In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions. | 8.5 | HIGH | β | 0 |
| CVE-2026-24977 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Organici Library noo-organici-library allows Blind SQL Injection.This issue affects Organ... | 8.5 | HIGH | β | 0 |
| CVE-2026-5936 An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal netwo... | 8.5 | HIGH | β | 0 |
| CVE-2026-33953 LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests to internal-only resources when... | 8.5 | HIGH | β | 0 |
| CVE-2026-5329 Rapid7 Velociraptor versions prior to 0.76.2Β contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an aut... | 8.5 | HIGH | β | 0 |
| CVE-2026-1342 IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acces... | 8.5 | HIGH | β | 0 |
| CVE-2026-38527 A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. | 8.5 | HIGH | β | 0 |
| CVE-2026-34975 Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject... | 8.5 | HIGH | β | 0 |
| CVE-2026-32433 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This... | 8.5 | HIGH | β | 0 |
| CVE-2026-32368 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from ... | 8.5 | HIGH | β | 0 |
| CVE-2026-25628 Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_... | 8.5 | HIGH | β | 0 |
| CVE-2026-32459 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Blind SQL Injection.This issue affects Ups... | 8.5 | HIGH | β | 0 |
| CVE-2026-32399 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection.This issu... | 8.5 | HIGH | β | 0 |
| CVE-2026-28134 Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2. | 8.5 | HIGH | β | 0 |
| CVE-2026-31917 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through <= 1.16.10. | 8.5 | HIGH | β | 0 |
| CVE-2026-35548 An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after mo... | 8.5 | HIGH | β | 0 |
| CVE-2026-40568 FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization functi... | 8.5 | HIGH | β | 0 |
| CVE-2026-32366 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection.This issue affects... | 8.5 | HIGH | β | 0 |
| CVE-2026-39495 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This... | 8.5 | HIGH | β | 0 |
| CVE-2026-25007 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Bli... | 8.5 | HIGH | β | 0 |
| CVE-2026-31817 OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used fo... | 8.5 | HIGH | β | 0 |
| CVE-2026-41461 SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not... | 8.5 | HIGH | β | 0 |
| CVE-2026-32246 Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain a... | 8.5 | HIGH | β | 0 |
| CVE-2026-32516 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects M... | 8.5 | HIGH | β | 0 |
| CVE-2026-31922 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <=... | 8.5 | HIGH | β | 0 |
| CVE-2026-39475 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Fee... | 8.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.