Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-35614 Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 and 15.104.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-35615 PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collap... | N/A | NONE | β | 0 |
| CVE-2026-39305 PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary ... | 9.0 | CRITICAL | β | 0 |
| CVE-2026-39306 PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive ... | 7.3 | HIGH | β | 0 |
| CVE-2026-39307 PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting templ... | 8.1 | HIGH | β | 0 |
| CVE-2026-39308 PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.... | 7.1 | HIGH | β | 0 |
| CVE-2026-39312 SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.... | 7.5 | HIGH | β | 0 |
| CVE-2026-39314 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-c... | 4.0 | MEDIUM | β | 0 |
| CVE-2026-39316 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) w... | 4.0 | MEDIUM | β | 0 |
| CVE-2026-39384 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging cust... | 7.6 | HIGH | β | 0 |
| CVE-2026-4631 Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22680 OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata crea... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-22682 OpenHarness prior to commit 166fcfeΒ contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who ca... | 7.1 | HIGH | β | 0 |
| CVE-2026-24146 NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. A successful exploit of this vulnerability might l... | 7.5 | HIGH | β | 0 |
| CVE-2026-24147 NVIDIA Triton Inference Server contains a vulnerability in triton server where an attacker may cause an information disclosure by uploading a model configuration. A successful exploit of this vulnerab... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-24156 NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution. | 7.3 | HIGH | β | 0 |
| CVE-2026-24173 NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. A successful exploit of this vulnerability might lead... | 7.5 | HIGH | β | 0 |
| CVE-2026-24174 NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. A successful exploit of this vulnerability might lead... | 7.5 | HIGH | β | 0 |
| CVE-2026-24175 NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability mig... | 7.5 | HIGH | β | 0 |
| CVE-2026-31271 megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthen... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31272 MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addit... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-35572 ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer requ... | N/A | NONE | β | 0 |
| CVE-2026-35573 ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-35575 ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panelβs group-creation feature allows any user with group-cr... | 8.0 | HIGH | β | 0 |
| CVE-2026-35576 ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue ... | 8.7 | HIGH | β | 0 |
| CVE-2026-39317 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-3933... | N/A | NONE | β | 0 |
| CVE-2026-39318 ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/F... | 8.8 | HIGH | β | 0 |
| CVE-2026-39319 ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenti... | 8.8 | HIGH | β | 0 |
| CVE-2026-39321 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending ... | N/A | NONE | β | 0 |
| CVE-2026-39323 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-3932... | N/A | NONE | β | 0 |
| CVE-2026-39324 Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryp... | N/A | NONE | β | 0 |
| CVE-2026-39325 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users ... | 7.2 | HIGH | β | 0 |
| CVE-2026-39326 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role i... | 8.8 | HIGH | β | 0 |
| CVE-2026-39327 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the ro... | 8.8 | HIGH | β | 0 |
| CVE-2026-39328 ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users w... | 8.9 | HIGH | β | 0 |
| CVE-2026-39329 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can in... | 8.8 | HIGH | β | 0 |
| CVE-2026-39330 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manag... | 8.8 | HIGH | β | 0 |
| CVE-2026-39331 ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} para... | 8.1 | HIGH | β | 0 |
| CVE-2026-39332 ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript i... | 8.7 | HIGH | β | 0 |
| CVE-2026-39333 ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without prope... | 8.7 | HIGH | β | 0 |
| CVE-2026-39334 ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without a... | 8.8 | HIGH | β | 0 |
| CVE-2026-39335 ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path w... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39336 ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered int... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39337 ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to in... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-39338 ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The appli... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39339 ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allow... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-39340 ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property typ... | 8.1 | HIGH | β | 0 |
| CVE-2026-39341 ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail... | 8.1 | HIGH | β | 0 |
| CVE-2026-39342 ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires a... | 8.8 | HIGH | β | 0 |
| CVE-2026-26135 Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network. | 9.6 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.