Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-40962 FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. | 4.9 | MEDIUM | β | 0 |
| CVE-2026-40505 MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ... | 3.3 | LOW | β | 0 |
| CVE-2026-40504 Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string lit... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3299 The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitizat... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-40960 Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the req... | 8.1 | HIGH | β | 0 |
| CVE-2026-40959 Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. | 9.3 | CRITICAL | β | 0 |
| CVE-2026-40503 OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memo... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-40502 OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient ... | 8.8 | HIGH | β | 0 |
| CVE-2026-5363 Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation.Β The web interface encrypts the admin password client-side using RS... | N/A | NONE | β | 0 |
| CVE-2026-4880 The Barcode Scanner (+Mobile App) β Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-40947 Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path. | 2.9 | LOW | β | 0 |
| CVE-2026-40245 Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repos... | 7.5 | HIGH | β | 0 |
| CVE-2026-40193 maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search f... | 8.2 | HIGH | β | 0 |
| CVE-2026-4949 The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-40316 OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflo... | 8.8 | HIGH | β | 0 |
| CVE-2026-40192 Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attack... | 7.5 | HIGH | β | 0 |
| CVE-2026-40179 Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39350 Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6388 A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace bounda... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40500 ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbi... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-1711 Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | 4.8 | MEDIUM | β | 0 |
| CVE-2026-1564 Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | 4.8 | MEDIUM | β | 0 |
| CVE-2026-6398 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | β | 0 |
| CVE-2026-40261 Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceR... | 8.8 | HIGH | β | 0 |
| CVE-2026-40186 ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-40176 Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shel... | 7.8 | HIGH | β | 0 |
| CVE-2026-40173 Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on... | 9.4 | CRITICAL | β | 0 |
| CVE-2026-22676 Barracuda RMM versions prior toΒ 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the... | 7.8 | HIGH | β | 0 |
| CVE-2026-6385 A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-6384 A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a speci... | 7.3 | HIGH | β | 0 |
| CVE-2026-6364 Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security sev... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-6363 Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | 8.8 | HIGH | β | 0 |
| CVE-2026-6362 Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: Hi... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6361 Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a s... | 7.2 | HIGH | β | 0 |
| CVE-2026-6360 Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-6359 Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML... | 8.8 | HIGH | β | 0 |
| CVE-2026-6358 Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critica... | 8.8 | HIGH | β | 0 |
| CVE-2026-6319 Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted ... | 7.5 | HIGH | β | 0 |
| CVE-2026-6318 Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 8.8 | HIGH | β | 0 |
| CVE-2026-6317 Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-6316 Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
| CVE-2026-6315 Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a craft... | 8.8 | HIGH | β | 0 |
| CVE-2026-6314 Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chro... | 8.3 | HIGH | β | 0 |
| CVE-2026-6313 Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (... | 3.1 | LOW | β | 0 |
| CVE-2026-6312 Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML pa... | 3.1 | LOW | β | 0 |
| CVE-2026-6311 Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a ... | 8.3 | HIGH | β | 0 |
| CVE-2026-6310 Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chr... | 8.3 | HIGH | β | 0 |
| CVE-2026-6309 Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chro... | 8.3 | HIGH | β | 0 |
| CVE-2026-6308 Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.... | 7.5 | HIGH | β | 0 |
| CVE-2026-6307 Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 8.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.