Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-42427 OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. A... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39628 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <=... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39626 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39624 Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39616 Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5502 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing auth... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39612 Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39609 Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through <= 0.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39605 Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39585 Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39563 Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a thr... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39561 Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4019 The Complianz β GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/com... | 5.3 | MEDIUM | β | 0 |
| CVE-2016-20053 Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting m... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40737 Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-41363 OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can ex... | 5.3 | MEDIUM | β | 0 |
| CVE-2016-20051 Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5585 A vulnerability was found in Tencent AI-Infra-Guard 4.0. The affected element is an unknown function of the file common/websocket/task_manager.go of the component Task Detail Endpoint. Performing a ma... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-31924 Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users a... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-15565 The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This mak... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5601 A vulnerability was found in Acrel Electrical Prepaid Cloud Platform 1.0. This issue affects some unknown processing of the file /bin.rar of the component Backup File Handler. The manipulation results... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32655 Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerab... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5571 A vulnerability was identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. The impacted element is an unknown function of the file /fs of the component Configuration Data Handler. Such manipulati... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-42034 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https tran... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-41400 OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-st... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35626 OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35633 OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send cr... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-7071 A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file a... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40100 FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() on... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-6985 A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-21726 The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/r... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33888 ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type m... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-6966 Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold r... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5661 A vulnerability was identified in Free5GC 4.2.0. This affects an unknown function of the component NGSetupRequest Handler. Such manipulation leads to denial of service. The attack may be launched remo... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-41322 @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 err... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5549 A vulnerability was determined in Tenda AC10 16.03.10.10_multi_TDE01. Affected by this issue is some unknown functionality of the file /webroot_ro/pem/privkeySrv.pem of the component RSA 2048-bit Priv... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3477 The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_a... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3646 The LTL Freight Quotes β R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2263 The Hustle β Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted'... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14944 The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' f... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5619 A flaw has been found in Braffolk mcp-summarization-functions up to 0.1.5. This impacts an unknown function of the file src/server/mcp-server.ts of the component summarize_command. Executing a manipul... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34155 RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-41301 OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature valid... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5527 A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Pri... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2696 The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored i... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1797 The Appointment Booking and Scheduler Plugin β Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-30878 baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accep... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-26895 User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-41331 OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5666 A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler.... | 5.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.