Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-5874 Use after free in PrivateAI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a craft... | N/A | NONE | β | 0 |
| CVE-2026-5873 Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi... | N/A | NONE | β | 0 |
| CVE-2026-5872 Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5871 Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5870 Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5869 Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secur... | N/A | NONE | β | 0 |
| CVE-2026-5868 Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: ... | N/A | NONE | β | 0 |
| CVE-2026-5867 Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secur... | N/A | NONE | β | 0 |
| CVE-2026-5866 Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5865 Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5864 Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium se... | N/A | NONE | β | 0 |
| CVE-2026-5863 Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi... | N/A | NONE | β | 0 |
| CVE-2026-5862 Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Hi... | N/A | NONE | β | 0 |
| CVE-2026-5861 Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5860 Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | N/A | NONE | β | 0 |
| CVE-2026-5859 Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | N/A | NONE | β | 0 |
| CVE-2026-5858 Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | N/A | NONE | β | 0 |
| CVE-2026-5810 A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the file /delete.php of the component GET Parameter Handler. This manipulation of the argumen... | 3.5 | LOW | β | 0 |
| CVE-2026-5808 A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/clien... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5806 A security vulnerability has been detected in code-projects Easy Blog Site 1.0. This affects an unknown function of the file /posts/update.php. The manipulation of the argument postTitle leads to cros... | 3.5 | LOW | β | 0 |
| CVE-2026-5711 The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 du... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-40037 OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attacke... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-40036 Unfurl beforeΒ 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payl... | 7.5 | HIGH | β | 0 |
| CVE-2026-40035 Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed dire... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40032 UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes ... | 7.8 | HIGH | β | 0 |
| CVE-2026-40031 MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls witho... | 7.8 | HIGH | β | 0 |
| CVE-2026-40030 parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary ... | 7.8 | HIGH | β | 0 |
| CVE-2026-40029 parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution v... | 7.8 | HIGH | β | 0 |
| CVE-2026-40028 Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported lo... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40027 ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a dat... | 7.3 | HIGH | β | 0 |
| CVE-2026-40026 The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk ima... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-40025 The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bou... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-40024 The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted f... | 7.1 | HIGH | β | 0 |
| CVE-2026-39901 monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transac... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-5805 A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing a manipulation of the argument Name c... | 7.3 | HIGH | β | 0 |
| CVE-2026-5803 A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5451 The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5436 The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key... | 8.1 | HIGH | β | 0 |
| CVE-2026-39892 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Pytho... | N/A | NONE | β | 0 |
| CVE-2026-39891 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user ... | 8.8 | HIGH | β | 0 |
| CVE-2026-39890 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/functio... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-39889 PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function ... | 7.5 | HIGH | β | 0 |
| CVE-2026-39888 PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a ... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-39885 FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in Ope... | 7.5 | HIGH | β | 0 |
| CVE-2026-39883 OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command usi... | N/A | NONE | β | 0 |
| CVE-2026-39882 OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a siz... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39881 Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands wh... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-39860 Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-39844 NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backsl... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-39429 kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and ... | 8.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.