Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-32278 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issu... | 8.2 | HIGH | β | 0 |
| CVE-2026-32279 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) iss... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-32300 Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the M... | 8.1 | HIGH | β | 0 |
| CVE-2026-33241 Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading reque... | 7.5 | HIGH | β | 0 |
| CVE-2026-33242 Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated ex... | 7.5 | HIGH | β | 0 |
| CVE-2026-33307 Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a f... | 7.5 | HIGH | β | 0 |
| CVE-2026-33308 Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.13.0, code for client certificate verification did not check the key purpose as set in the Extended Key Usage extension.... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-33475 Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repos... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-23924 Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary fil... | N/A | NONE | β | 0 |
| CVE-2026-32493 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix JobSearch wp-jobsearch allows Reflected XSS.This issue affects JobSearch: from n/a through ... | 7.1 | HIGH | β | 0 |
| CVE-2026-31920 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind ... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-32484 Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26. | 8.8 | HIGH | β | 0 |
| CVE-2026-32483 Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32489 Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects B Blocks: from n/a through < 2.0.30. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-31921 Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This... | 8.2 | HIGH | β | 0 |
| CVE-2026-33484 Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any... | 7.5 | HIGH | β | 0 |
| CVE-2026-33497 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpo... | 7.5 | HIGH | β | 0 |
| CVE-2026-30653 An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denial of service via the function HandleAuthenticationFailure of the component AMF | 7.5 | HIGH | β | 0 |
| CVE-2026-30662 ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creat... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33313 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the co... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33315 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2F... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33316 Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunjaβs password reset logic allows disabled users to regain access to their accounts. The `ResetPas... | 8.1 | HIGH | β | 0 |
| CVE-2026-29840 JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filter... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32505 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy... | 8.1 | HIGH | β | 0 |
| CVE-2026-32499 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a throu... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-32506 Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32495 Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n... | 7.5 | HIGH | β | 0 |
| CVE-2026-32496 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue aff... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-32497 Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33419 MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credenti... | 7.5 | HIGH | β | 0 |
| CVE-2026-32302 OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived... | 8.1 | HIGH | β | 0 |
| CVE-2026-32731 ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.crea... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-32805 Romeo gives the capability to reach high code coverage of Go β₯1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `san... | 7.5 | HIGH | β | 0 |
| CVE-2025-36051 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user. | 6.2 | MEDIUM | β | 0 |
| CVE-2026-1276 IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alter... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32006 OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and gro... | 3.1 | LOW | β | 0 |
| CVE-2026-32007 OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directo... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-33408 Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categ... | 2.2 | LOW | β | 0 |
| CVE-2026-33012 Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache ... | 7.5 | HIGH | β | 0 |
| CVE-2026-33013 Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descendi... | 7.5 | HIGH | β | 0 |
| CVE-2026-32064 OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attacke... | 7.7 | HIGH | β | 0 |
| CVE-2026-32065 OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-32067 OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approva... | 3.7 | LOW | β | 0 |
| CVE-2026-32897 OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is uns... | 3.7 | LOW | β | 0 |
| CVE-2026-32899 OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configu... | 4.3 | MEDIUM | β | 0 |
| CVE-2019-25570 RealTerm Serial Terminal 2.0.0.70 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Port field. Attackers c... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-33293 WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitizatio... | 8.1 | HIGH | β | 0 |
| CVE-2026-33294 WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents(... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-33046 Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax... | 8.8 | HIGH | β | 0 |
| CVE-2026-4686 Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. | 7.5 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.