Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-40744 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue af... | 8.5 | HIGH | β | 0 |
| CVE-2026-40742 Missing Authorization vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio AB Testing: fro... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40740 Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40737 Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40734 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Imag... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-40730 Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGril... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40729 Missing Authorization vulnerability in bPlugins 3D viewer β Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer β Embed 3D Mo... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-40728 Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a thr... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33805 @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This all... | N/A | NONE | β | 0 |
| CVE-2026-30778 The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recomm... | 7.5 | HIGH | β | 0 |
| CVE-2026-28741 Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's aut... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-27769 Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Wor... | 2.7 | LOW | β | 0 |
| CVE-2026-5598 Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC... | N/A | NONE | β | 0 |
| CVE-2026-5588 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pki... | N/A | NONE | β | 0 |
| CVE-2026-3505 Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associ... | N/A | NONE | β | 0 |
| CVE-2026-33808 Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-s... | N/A | NONE | β | 0 |
| CVE-2026-33807 @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registere... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-0636 Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is assoc... | N/A | NONE | β | 0 |
| CVE-2025-14813 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlo... | N/A | NONE | β | 0 |
| CVE-2024-33618 Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. | 7.5 | HIGH | β | 0 |
| CVE-2026-5717 The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and includin... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5694 The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insuff... | 7.2 | HIGH | β | 0 |
| CVE-2026-5617 The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-control... | 8.8 | HIGH | β | 0 |
| CVE-2026-4091 The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4011 The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0. This is due to insuffi... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4005 The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient in... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4002 The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function whi... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3998 The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. This is due to in... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3659 The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3649 The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3643 The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/up... | 7.2 | HIGH | β | 0 |
| CVE-2026-3642 The e-shotβ’ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capabi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3461 The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` fun... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1782 The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-sub... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-52641 HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying e... | 2.9 | LOW | β | 0 |
| CVE-2025-40899 A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges c... | 8.9 | HIGH | β | 0 |
| CVE-2025-40897 An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authent... | 8.1 | HIGH | β | 0 |
| CVE-2026-5088 Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::R... | 7.5 | HIGH | β | 0 |
| CVE-2026-6293 The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on th... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-40719 Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved. | 7.5 | HIGH | β | 0 |
| CVE-2026-5160 Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer val... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-5397 It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malici... | 7.8 | HIGH | β | 0 |
| CVE-2026-26291 Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser. | N/A | NONE | β | 0 |
| CVE-2026-6328 Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame ha... | N/A | NONE | β | 0 |
| CVE-2026-4812 The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query en... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40499 radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in ... | N/A | NONE | β | 0 |
| CVE-2026-40105 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.1... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-40104 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerab... | 8.2 | HIGH | β | 0 |
| CVE-2026-40096 immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40091 SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "... | 6.0 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.