Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-35554 A race condition in the Apache Kafka Java producer clientβs buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeou... | 8.7 | HIGH | β | 0 |
| CVE-2026-35460 Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. A... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-35480 go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on I... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-35485 text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_grammar() allows reading any file on the ... | 7.5 | HIGH | β | 0 |
| CVE-2026-5380 An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Cred... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-24818 Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. | 8.0 | HIGH | β | 0 |
| CVE-2025-24819 Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application. | 5.7 | MEDIUM | β | 0 |
| CVE-2026-1078 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Ed... | N/A | NONE | β | 0 |
| CVE-2026-1079 A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a web... | N/A | NONE | β | 0 |
| CVE-2026-35487 text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_prompt() allows reading any .txt file on ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35488 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative p... | 8.1 | HIGH | β | 0 |
| CVE-2026-35491 FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) th... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33815 Memory-safety vulnerability in github.com/jackc/pgx/v5. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30460 Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | 8.8 | HIGH | β | 0 |
| CVE-2026-35526 Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allo... | 7.5 | HIGH | β | 0 |
| CVE-2026-35571 Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme v... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-4931 Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost. | 6.8 | MEDIUM | β | 0 |
| CVE-2024-36058 The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, a... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-35583 Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked f... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35592 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for i... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-35610 PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted adm... | 8.8 | HIGH | β | 0 |
| CVE-2026-35611 Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two c... | 7.5 | HIGH | β | 0 |
| CVE-2026-35615 PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collap... | 7.5 | HIGH | β | 0 |
| CVE-2026-24146 NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. A successful exploit of this vulnerability might l... | 7.5 | HIGH | β | 0 |
| CVE-2026-24156 NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution. | 7.3 | HIGH | β | 0 |
| CVE-2026-39317 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-3933... | N/A | NONE | β | 0 |
| CVE-2026-31271 megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthen... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-35572 ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer requ... | 6.0 | MEDIUM | β | 0 |
| CVE-2026-39319 ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenti... | 8.8 | HIGH | β | 0 |
| CVE-2026-39321 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending ... | 3.7 | LOW | β | 0 |
| CVE-2026-39324 Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryp... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-39331 ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} para... | 8.1 | HIGH | β | 0 |
| CVE-2026-39335 ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path w... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39343 ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST ... | 7.2 | HIGH | β | 0 |
| CVE-2026-39344 ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or en... | N/A | NONE | β | 0 |
| CVE-2025-71058 Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches r... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-39348 OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-39349 OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaint... | 2.7 | LOW | β | 0 |
| CVE-2026-32862 There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code ... | 7.8 | HIGH | β | 0 |
| CVE-2026-32863 There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitra... | 7.8 | HIGH | β | 0 |
| CVE-2026-39356 Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions,... | 7.5 | HIGH | β | 0 |
| CVE-2026-39366 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39364 Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved w... | 7.5 | HIGH | β | 0 |
| CVE-2026-39368 WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-sid... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39373 JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39382 dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.git... | N/A | NONE | β | 0 |
| CVE-2026-39838 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.... | N/A | NONE | β | 0 |
| CVE-2026-5739 A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint.... | 7.3 | HIGH | β | 0 |
| CVE-2026-39837 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: b... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39401 Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this ... | 5.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.