Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-59214 Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-20872 External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25724 Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user expl... | 7.5 | HIGH | β | 0 |
| CVE-2026-4974 A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the function fromSetSysTime of the file /goform/SetSysTimeCfg of the component POST Request Handler. Executing a manipulation ... | 8.8 | HIGH | β | 0 |
| CVE-2026-21253 Use after free in Mailslot File System allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | β | 0 |
| CVE-2026-24294 Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | β | 0 |
| CVE-2026-28867 This issue was addressed with improved authentication. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, ... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-30533 A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2014-3153 The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted... | 7.8 | HIGH | KEV | 0 |
| CVE-2021-20022 SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host. | 7.2 | HIGH | KEV | 0 |
| CVE-2026-5030 A vulnerability has been found in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipula... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-15615 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cau... | 5.8 | MEDIUM | β | 0 |
| CVE-2025-15616 Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through va... | 6.7 | MEDIUM | β | 0 |
| CVE-2026-28367 A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such... | 8.7 | HIGH | β | 0 |
| CVE-2026-28368 A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. Th... | 8.7 | HIGH | β | 0 |
| CVE-2026-33748 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir compo... | N/A | NONE | β | 0 |
| CVE-2026-33763 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given passw... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4984 The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' paramete... | 8.2 | HIGH | β | 0 |
| CVE-2026-5010 A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victimβs browser by sending them a malicio... | N/A | NONE | β | 0 |
| CVE-2026-5022 The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by kno... | N/A | NONE | β | 0 |
| CVE-2026-5025 The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-5026 The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an ... | N/A | NONE | β | 0 |
| CVE-2021-25370 An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic. | 6.1 | MEDIUM | KEV | 0 |
| CVE-2025-6204 An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code. | 8.0 | HIGH | KEV | 0 |
| CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability | 8.8 | HIGH | KEV | 0 |
| CVE-2026-4844 A vulnerability was detected in code-projects Online Food Ordering System 1.0. This issue affects some unknown processing of the file /admin.php of the component Admin Login Module. The manipulation o... | 7.3 | HIGH | β | 0 |
| CVE-2026-4909 A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site s... | 2.4 | LOW | β | 0 |
| CVE-2026-4910 A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus up to 1.3.44. Affected is an unknown function of the file /RemoteFormat.do of the component Endpoint. Such man... | 7.3 | HIGH | β | 0 |
| CVE-2022-26925 Windows LSA Spoofing Vulnerability | 8.1 | HIGH | KEV | 0 |
| CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 | HIGH | KEV | 0 |
| CVE-2026-2287 CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23973 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo golo allows Reflected XSS.This issue affects Golo: from n/a through < 1.7.5. | 7.1 | HIGH | β | 0 |
| CVE-2026-25033 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.This issue affects Motta Addons: from n/a... | 7.1 | HIGH | β | 0 |
| CVE-2026-23977 Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security L... | 7.5 | HIGH | β | 0 |
| CVE-2026-23979 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Softwebmedia Gyan Elements gyan-elements allows Reflected XSS.This issue affects Gyan Elements: fr... | 7.1 | HIGH | β | 0 |
| CVE-2026-24359 Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4. | 8.8 | HIGH | β | 0 |
| CVE-2026-24364 Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a th... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-25123 Cross-Site Request Forgery (CSRF) vulnerability in xdark Easy Related Posts easy-related-posts allows Stored XSS.This issue affects Easy Related Posts: from n/a through <= 2.0.2. | N/A | NONE | β | 0 |
| CVE-2025-25125 Cross-Site Request Forgery (CSRF) vulnerability in CyrilG Fyrebox Quizzes fyrebox-shortcode allows Stored XSS.This issue affects Fyrebox Quizzes: from n/a through <= 3.1. | N/A | NONE | β | 0 |
| CVE-2025-25126 Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO zmseo allows Stored XSS.This issue affects ZMSEO: from n/a through <= 1.14.1. | N/A | NONE | β | 0 |
| CVE-2025-25128 Cross-Site Request Forgery (CSRF) vulnerability in orlandolac Facilita Form Tracker facilita-form-tracker allows Stored XSS.This issue affects Facilita Form Tracker: from n/a through <= 1.0. | N/A | NONE | β | 0 |
| CVE-2025-25135 Cross-Site Request Forgery (CSRF) vulnerability in Victor Barkalov Custom Links On Admin Dashboard Toolbar customize-wpadmin allows Stored XSS.This issue affects Custom Links On Admin Dashboard Toolba... | N/A | NONE | β | 0 |
| CVE-2025-25136 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shujahat21 Optimate Ads optimate-ads allows Stored XSS.This issue affects Optimate Ads: from n/a t... | N/A | NONE | β | 0 |
| CVE-2025-25138 Cross-Site Request Forgery (CSRF) vulnerability in Rishi On Page SEO + Whatsapp Chat Button ops-robots-txt allows Stored XSS.This issue affects On Page SEO + Whatsapp Chat Button: from n/a through <= ... | N/A | NONE | β | 0 |
| CVE-2025-25139 Cross-Site Request Forgery (CSRF) vulnerability in Cynob IT Consultancy WP Custom Post RSS Feed wp-custom-post-rss-feed allows Stored XSS.This issue affects WP Custom Post RSS Feed: from n/a through <... | N/A | NONE | β | 0 |
| CVE-2025-25140 Cross-Site Request Forgery (CSRF) vulnerability in Scriptonite Simple User Profile simple-user-profile allows Stored XSS.This issue affects Simple User Profile: from n/a through <= 1.9. | N/A | NONE | β | 0 |
| CVE-2025-25141 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup fami-sales-popup allows PHP Local File Inclusion.This... | N/A | NONE | β | 0 |
| CVE-2025-25143 Cross-Site Request Forgery (CSRF) vulnerability in ibasit GlobalQuran globalquran allows Cross Site Request Forgery.This issue affects GlobalQuran: from n/a through <= 1.0. | N/A | NONE | β | 0 |
| CVE-2025-25144 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys theasys allows Stored XSS.This issue affects Theasys: from n/a through <= 1.0.1. | N/A | NONE | β | 0 |
| CVE-2019-25580 ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET ... | 8.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.