Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-5044 A security vulnerability has been detected in Belkin F9K1122 1.00.33. This affects the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. Such m... | 8.8 | HIGH | β | 0 |
| CVE-2026-3770 A flaw has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack is possible to be carri... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3771 A vulnerability has been found in SourceCodester/janobe Resort Reservation System 1.0. This vulnerability affects unknown code of the file /accomodation.php. Such manipulation of the argument q leads ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-3785 A vulnerability was identified in EasyCMS up to 1.6. The affected element is an unknown function of the file /RbacnodeAction.class.php of the component Request Parameter Handler. The manipulation of t... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-7741 Hardcoded Password Vulnerability have been found in CENTUM.Β Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the ... | N/A | NONE | β | 0 |
| CVE-2026-2370 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed... | 8.1 | HIGH | β | 0 |
| CVE-2025-3716 User enumeration in ESET Protect (on-prem) viaΒ Response Timing. | N/A | NONE | β | 0 |
| CVE-2026-39839 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo E... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-5302 CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites | 6.3 | MEDIUM | β | 0 |
| CVE-2026-39394 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads t... | 8.1 | HIGH | β | 0 |
| CVE-2026-2285 CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server. | 7.5 | HIGH | β | 0 |
| CVE-2026-2287 CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24369 Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0. | 7.1 | HIGH | β | 0 |
| CVE-2026-30556 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The applicatio... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-24970 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2... | 7.7 | HIGH | β | 0 |
| CVE-2026-24971 Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through <= 2.8. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-20041 A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected d... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4927 Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This i... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-36373 IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway coul... | 4.1 | MEDIUM | β | 0 |
| CVE-2026-32867 OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28871 A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website m... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-26831 textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to chil... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25373 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a... | 7.1 | HIGH | β | 0 |
| CVE-2026-25435 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issu... | 7.1 | HIGH | β | 0 |
| CVE-2026-25437 Missing Authorization vulnerability in Ψ³ΫΨ― Ω ΨΩ Ψ―Ψ§Ω ΫΩ ΩΨ§Ψ΄Ω Ϋ GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25457 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | β | 0 |
| CVE-2026-25458 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | β | 0 |
| CVE-2026-27663 A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), RTUM85Β RTU Base (All versions < V26.10). The affected application contains denial-of-service (Do... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33469 Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration throug... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34071 Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true ret... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33477 FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an au... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33495 ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33496 ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authenticati... | 8.1 | HIGH | β | 0 |
| CVE-2026-33506 Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability ... | 8.8 | HIGH | β | 0 |
| CVE-2026-3190 A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33529 Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated u... | 3.3 | LOW | β | 0 |
| CVE-2026-33532 `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-0966 The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),... | 8.2 | HIGH | β | 0 |
| CVE-2026-0965 A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system i... | N/A | NONE | β | 0 |
| CVE-2026-21724 A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the requi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-33632 ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.4, two file operation event types β ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVE... | 7.8 | HIGH | β | 0 |
| CVE-2026-33621 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable ... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-30557 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The app... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-33635 iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sa... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33644 Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only ac... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33640 Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33653 Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during t... | 4.6 | MEDIUM | β | 0 |
| CVE-2026-33664 Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields β description, inputs[].displayName, inputs[].descriptio... | 7.3 | HIGH | β | 0 |
| CVE-2026-28788 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `PO... | 7.1 | HIGH | β | 0 |
| CVE-2026-33687 Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file ... | 8.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.