Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-0974 The Orderable β WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'in... | 8.8 | HIGH | β | 0 |
| CVE-2026-1455 The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validat... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25242 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25474 OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without ver... | 7.5 | HIGH | β | 0 |
| CVE-2026-2282 The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escapin... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-2284 The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce ve... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2502 The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin tru... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-25409 Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployme... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25410 Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25411 Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <=... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25412 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2026-25415 Missing Authorization vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPBookit Pro: from n/a through ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25416 Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News K... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25420 Missing Authorization vulnerability in MailerLite MailerLite official-mailerlite-sign-up-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailerLite: fr... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25422 Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25428 Server-Side Request Forgery (SSRF) vulnerability in totalsoft TS Poll poll-wp allows Server Side Request Forgery.This issue affects TS Poll: from n/a through <= 2.5.5. | 4.4 | MEDIUM | β | 0 |
| CVE-2026-2735 Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to β/blog/new-article/org.opencms.ugc.CmsUgcEditService... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2736 Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the βqβ pa... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-12107 Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful... | 8.4 | HIGH | β | 0 |
| CVE-2025-13590 A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code exec... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-1219 The MP3 Audio Player β Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1461 The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin on... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-22266 Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remot... | 4.7 | MEDIUM | β | 0 |
| CVE-2019-25405 Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. Attackers can... | 7.2 | HIGH | β | 0 |
| CVE-2019-25406 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the organization parameter. Attackers can send POST... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25407 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. Attac... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25408 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the netmask_addr parameter. Attacker... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25409 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the destination parameter. Attackers can send POST ... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25410 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through the source and destination parameters. Attackers can submit... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25423 Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the /korugan/proxyconfig endpoint that allow attackers to inject malicious scripts through POST parameter... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25424 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input to the EXCEPTIONSITELIST parameter.... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25425 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the VIRUS_ADMIN parameter. Attackers... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25426 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the dnsmasq endpoint. Attackers can ... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25427 Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the antispyware endpoint. Attackers ... | 6.1 | MEDIUM | β | 0 |
| CVE-2019-25428 Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the openvpn_users endpoint that allow attackers to inject malicious scripts through POST parameters. Atta... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-25940 jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript action... | 8.1 | HIGH | β | 0 |
| CVE-2026-26223 SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an at... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-26345 SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2274 A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network r... | N/A | NONE | β | 0 |
| CVE-2025-69674 Buffer Overflow vulnerability in CDATA FD614GS3-R850 V3.2.7_P161006 (Build.0333.250211) allows an attacker to execute arbitrary code via the node_mac, node_opt, opt_param, and domainblk parameters of ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-69725 An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain. | 4.7 | MEDIUM | β | 0 |
| CVE-2026-1581 The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied... | 7.5 | HIGH | β | 0 |
| CVE-2026-27476 RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send cra... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23614 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScrip... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23615 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework Email Exceptions interface. An authenticated user can supply HTML/JavaSc... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23616 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23617 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Body) conditions interface. An authenticated user can supply HTML/JavaScr... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23618 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/Java... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23619 GFI MailEssentials AI versions prior toΒ 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$Conte... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-23621 GFI MailEssentials AI versions prior toΒ 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.