Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-33999 A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a... | 7.8 | HIGH | β | 0 |
| CVE-2025-50229 Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-34003 A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerabil... | 7.8 | HIGH | β | 0 |
| CVE-2026-40470 A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the m... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-41238 DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPu... | 6.9 | MEDIUM | β | 0 |
| CVE-2026-41239 DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untruste... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-39087 An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25524 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pri... | 8.1 | HIGH | β | 0 |
| CVE-2026-25525 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pri... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-40098 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pri... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40488 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pri... | 8.8 | HIGH | β | 0 |
| CVE-2026-32613 Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artif... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-39378 The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markd... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39386 Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative ... | 8.8 | HIGH | β | 0 |
| CVE-2026-34295 Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34296 Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Ea... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-34297 Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34313 Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34314 Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-34321 Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affect... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-34324 Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-41206 PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to preven... | N/A | NONE | β | 0 |
| CVE-2025-70994 Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without impleme... | 7.3 | HIGH | β | 0 |
| CVE-2026-31533 In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by co... | N/A | NONE | β | 0 |
| CVE-2026-40182 OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if th... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-41909 OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers wi... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-40907 WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-40908 WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40909 WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path a... | 8.7 | HIGH | β | 0 |
| CVE-2026-40343 free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling f... | 5.8 | MEDIUM | β | 0 |
| CVE-2026-41135 free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any ... | 7.5 | HIGH | β | 0 |
| CVE-2026-41136 free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5816 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript... | 8.0 | HIGH | β | 0 |
| CVE-2026-41213 @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-41241 pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown ... | 8.7 | HIGH | β | 0 |
| CVE-2026-6074 A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful e... | N/A | NONE | β | 0 |
| CVE-2026-41138 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input veri... | 8.8 | HIGH | β | 0 |
| CVE-2026-41264 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-41271 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain com... | 8.3 | HIGH | β | 0 |
| CVE-2025-0186 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause den... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-3922 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause den... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-6016 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause deni... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-9957 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authen... | 2.7 | LOW | β | 0 |
| CVE-2026-1660 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authen... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4922 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute... | 8.1 | HIGH | β | 0 |
| CVE-2026-5262 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unau... | 8.0 | HIGH | β | 0 |
| CVE-2026-5377 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in publ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-28950 A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly r... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-6375 A vulnerability in SpiceJetβs booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an atta... | N/A | NONE | β | 0 |
| CVE-2026-6376 A weakness in SpiceJetβs public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This res... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.