Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2023-54360 Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft mali... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-26460 A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (get... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-21331 Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-6024 The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into th... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35608 QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-31013 Dovestones Softwares ADPhonebook <4.0.1.1 has a reflected cross-site scripting (XSS) vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-40340 libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530β563). The f... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39400 Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript thr... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-0512 Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed b... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34269 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows un... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-38935 A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39840 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This iss... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34274 Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allo... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-20041 A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected d... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-41356 Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious ... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-41357 Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35667 OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately witho... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34739 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without apply... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-29136 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to inject HTML into notification emails about new CA certificates. | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35055 XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with po... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35199 SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-40302 zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/t... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34405 Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the imageβgeneration component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability t... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34605 SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynami... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-3877 A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated vi... | 6.1 | MEDIUM | β | 0 |
| CVE-2017-20239 MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft U... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-25854 Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34598 YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authenticat... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-20170 A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed thi... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35491 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) th... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33812 Parsing a malicious font file can cause excessive memory allocation. | 6.1 | MEDIUM | β | 0 |
| CVE-2026-6835 The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result i... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35515 Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text prot... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-30139 A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a us... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35473 WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically thr... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-6861 A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local us... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4131 The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-34229 Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39335 ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path w... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-26169 Buffer over-read in Windows Kernel Memory allows an authorized attacker to disclose information locally. | 6.1 | MEDIUM | β | 0 |
| CVE-2026-27124 FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a F... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-61872 Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7... | 6.1 | MEDIUM | β | 0 |
| CVE-2018-25247 MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craf... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4090 The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page func... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-35410 Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed func... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-1838 The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and ... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-69993 Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing a... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2399 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the P... | 6.1 | MEDIUM | β | 0 |
| CVE-2018-25269 ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attack... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39416 AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item prev... | 6.1 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.