Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-39401 Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this ... | N/A | NONE | β | 0 |
| CVE-2026-39400 Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript thr... | N/A | NONE | β | 0 |
| CVE-2026-39397 @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's ... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-35533 mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attac... | 7.7 | HIGH | β | 0 |
| CVE-2026-34080 xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules bu... | N/A | NONE | β | 0 |
| CVE-2026-34045 Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigge... | 8.2 | HIGH | β | 0 |
| CVE-2026-33439 Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deseriali... | N/A | NONE | β | 0 |
| CVE-2026-32712 Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sal... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-29181 OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across val... | 7.5 | HIGH | β | 0 |
| CVE-2026-27949 Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the U... | 2.0 | LOW | β | 0 |
| CVE-2026-5741 A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component HTT... | 7.3 | HIGH | β | 0 |
| CVE-2026-5739 A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint.... | 7.3 | HIGH | β | 0 |
| CVE-2026-3566 Rejected reason: After further discussion, the issue was determined to not meet the criteria for CVE assignment. | N/A | NONE | β | 0 |
| CVE-2026-39841 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo E... | N/A | NONE | β | 0 |
| CVE-2026-39840 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This iss... | N/A | NONE | β | 0 |
| CVE-2026-39839 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo E... | N/A | NONE | β | 0 |
| CVE-2026-39838 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.... | N/A | NONE | β | 0 |
| CVE-2026-39837 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: b... | N/A | NONE | β | 0 |
| CVE-2026-39395 Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39382 dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.git... | N/A | NONE | β | 0 |
| CVE-2026-39381 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that th... | N/A | NONE | β | 0 |
| CVE-2026-39380 Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Loc... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39376 FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls ... | 7.5 | HIGH | β | 0 |
| CVE-2026-39374 Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue acro... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39373 JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39371 RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In ... | 8.1 | HIGH | β | 0 |
| CVE-2026-39370 WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions suc... | 7.1 | HIGH | β | 0 |
| CVE-2026-39369 WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... | 7.6 | HIGH | β | 0 |
| CVE-2026-39368 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-sid... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39367 WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly int... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39366 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39365 Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev serverβs handling of .map requests for optimized dependencies resolves file paths and calls r... | N/A | NONE | β | 0 |
| CVE-2026-39364 Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved w... | N/A | NONE | β | 0 |
| CVE-2026-39363 Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev serverβs WebSocket without an Origin header, an attacker... | N/A | NONE | β | 0 |
| CVE-2026-39361 OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses beca... | 7.7 | HIGH | β | 0 |
| CVE-2026-39356 Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions,... | 7.5 | HIGH | β | 0 |
| CVE-2026-39322 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. Tha... | 8.8 | HIGH | β | 0 |
| CVE-2026-32864 There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code execu... | 7.8 | HIGH | β | 0 |
| CVE-2026-32863 There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitra... | 7.8 | HIGH | β | 0 |
| CVE-2026-32862 There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code ... | 7.8 | HIGH | β | 0 |
| CVE-2026-32861 There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code... | 7.8 | HIGH | β | 0 |
| CVE-2026-32860 There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code e... | 7.8 | HIGH | β | 0 |
| CVE-2025-69515 An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporti... | 9.1 | CRITICAL | β | 0 |
| CVE-2025-56015 In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint. | 7.5 | HIGH | β | 0 |
| CVE-2025-14859 The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algori... | N/A | NONE | β | 0 |
| CVE-2025-14858 The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validit... | N/A | NONE | β | 0 |
| CVE-2025-14857 An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails t... | N/A | NONE | β | 0 |
| CVE-2026-5762 Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch. | N/A | NONE | β | 0 |
| CVE-2026-5736 A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/Inst... | 7.3 | HIGH | β | 0 |
| CVE-2026-39360 RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who can... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.