Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-26723 Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter. | 8.2 | HIGH | β | 0 |
| CVE-2019-25494 Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password... | 8.2 | HIGH | β | 0 |
| CVE-2026-28787 OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, ... | 8.2 | HIGH | β | 0 |
| CVE-2020-37163 QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject U... | 8.2 | HIGH | β | 0 |
| CVE-2026-29193 ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-reg... | 8.2 | HIGH | β | 0 |
| CVE-2019-25495 osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can sen... | 8.2 | HIGH | β | 0 |
| CVE-2019-25391 Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST... | 8.2 | HIGH | β | 0 |
| CVE-2019-25446 DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters... | 8.2 | HIGH | β | 0 |
| CVE-2026-25794 ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to vers... | 8.2 | HIGH | β | 0 |
| CVE-2026-29046 TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser ... | 8.2 | HIGH | β | 0 |
| CVE-2019-25443 Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicio... | 8.2 | HIGH | β | 0 |
| CVE-2019-25493 Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requ... | 8.2 | HIGH | β | 0 |
| CVE-2020-37006 berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a craf... | 8.2 | HIGH | β | 0 |
| CVE-2019-25497 osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send ... | 8.2 | HIGH | β | 0 |
| CVE-2019-25496 osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can mo... | 8.2 | HIGH | β | 0 |
| CVE-2026-28562 wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers ... | 8.2 | HIGH | β | 0 |
| CVE-2026-33979 Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerabili... | 8.2 | HIGH | β | 0 |
| CVE-2019-25486 Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POS... | 8.2 | HIGH | β | 0 |
| CVE-2018-25197 PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can se... | 8.2 | HIGH | β | 0 |
| CVE-2018-25196 ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST ... | 8.2 | HIGH | β | 0 |
| CVE-2018-25194 Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can se... | 8.2 | HIGH | β | 0 |
| CVE-2018-25166 Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attac... | 8.2 | HIGH | β | 0 |
| CVE-2018-25163 BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in for... | 8.2 | HIGH | β | 0 |
| CVE-2018-25161 Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName... | 8.2 | HIGH | β | 0 |
| CVE-2019-25507 Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Attackers ... | 8.2 | HIGH | β | 0 |
| CVE-2019-25504 NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. Attackers can sen... | 8.2 | HIGH | β | 0 |
| CVE-2026-34578 OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_... | 8.2 | HIGH | β | 0 |
| CVE-2026-40168 Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct pr... | 8.2 | HIGH | β | 0 |
| CVE-2026-33810 When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affec... | 8.2 | HIGH | β | 0 |
| CVE-2026-23456 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read ... | 8.2 | HIGH | β | 0 |
| CVE-2026-27890 Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes se... | 8.2 | HIGH | β | 0 |
| CVE-2026-41296 OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path vali... | 8.2 | HIGH | β | 0 |
| CVE-2019-25697 CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requ... | 8.2 | HIGH | β | 0 |
| CVE-2025-67977 Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a ... | 8.2 | HIGH | β | 0 |
| CVE-2026-40022 When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via ca... | 8.2 | HIGH | β | 0 |
| CVE-2026-41059 OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when a... | 8.2 | HIGH | β | 0 |
| CVE-2026-41145 MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSI... | 8.2 | HIGH | β | 0 |
| CVE-2018-25203 Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers ca... | 8.2 | HIGH | β | 0 |
| CVE-2018-25204 Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST req... | 8.2 | HIGH | β | 0 |
| CVE-2018-25205 ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can sub... | 8.2 | HIGH | β | 0 |
| CVE-2018-25206 KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Attackers can submit POST requests with malicio... | 8.2 | HIGH | β | 0 |
| CVE-2018-25208 qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filter_by parameters. Attackers can submit maliciou... | 8.2 | HIGH | β | 0 |
| CVE-2018-25209 OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can subm... | 8.2 | HIGH | β | 0 |
| CVE-2026-32877 Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value... | 8.2 | HIGH | β | 0 |
| CVE-2026-31476 In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error... | 8.2 | HIGH | β | 0 |
| CVE-2019-25481 iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. Atta... | 8.2 | HIGH | β | 0 |
| CVE-2018-25185 Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers ... | 8.2 | HIGH | β | 0 |
| CVE-2018-25202 SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit ... | 8.2 | HIGH | β | 0 |
| CVE-2026-33331 oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI do... | 8.2 | HIGH | β | 0 |
| CVE-2026-27826 MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint ... | 8.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.