Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-2625 A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, thi... | 4.0 | MEDIUM | β | 0 |
| CVE-2026-0545 In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the lates... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-5484 A weakness has been identified in BookStackApp BookStack up to 26.03. Affected is the function chapterToMarkdown of the file app/Exports/ExportFormatter.php of the component Chapter Export Handler. Ex... | 5.3 | MEDIUM | β | 0 |
| CVE-2017-20237 Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute arbit... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37216 Hirschmann HiOS devices versions prior to 08.1.00 and 07.1.01 contain a denial of service vulnerability in the EtherNet/IP stack where improper handling of packet length fields allows remote attacker... | 7.5 | HIGH | β | 0 |
| CVE-2022-4987 Hirschmann Industrial HiVision version 08.1.03 prior to 08.1.04 and 08.2.00 contains a vulnerability in the execution of user-configured external applications that allows a local attacker to execute a... | 7.3 | HIGH | β | 0 |
| CVE-2025-10681 Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulne... | 8.6 | HIGH | β | 0 |
| CVE-2026-22662 prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-contr... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25197 A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call. | 9.1 | CRITICAL | β | 0 |
| CVE-2026-26058 Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.js... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-28767 A specific administrative endpoint notifications is accessible without proper authentication. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32646 A specific administrative endpoint is accessible without proper authentication, exposing device management functions. | 7.5 | HIGH | β | 0 |
| CVE-2026-32662 Development and test API endpoints are present that mirror production functionality. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34511 OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both th... | 5.3 | MEDIUM | β | 0 |
| CVE-2015-10148 Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remot... | 8.2 | HIGH | β | 0 |
| CVE-2026-27447 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability du... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-27456 util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux.... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-27481 Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass v... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-33175 OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an ... | 8.8 | HIGH | β | 0 |
| CVE-2017-20233 Hirschmann HiLCOS products OpenBAT, BAT450, WLC, BAT867 contains a firewall filtering vulnerability that fails to correctly filter IPv4 multicast and broadcast traffic when management IP address filte... | 5.4 | MEDIUM | β | 0 |
| CVE-2017-20234 GarrettCom Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access by exploiting a hardcoded string in the a... | 9.8 | CRITICAL | β | 0 |
| CVE-2017-20235 ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication bypass vulnerability in the web user interface that allows unauthenticated attackers to gain access to ad... | 9.1 | CRITICAL | β | 0 |
| CVE-2017-20238 Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains an improper authorization vulnerability that allows read-only users to gain write access to managed de... | 7.1 | HIGH | β | 0 |
| CVE-2018-25236 Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthentica... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-4477 Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-34787 Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET reque... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34936 PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and pas... | 7.7 | HIGH | β | 0 |
| CVE-2026-34937 PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing... | 7.8 | HIGH | β | 0 |
| CVE-2026-34953 PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-34770 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps that use the powerMonitor modu... | 7.0 | HIGH | β | 0 |
| CVE-2026-34771 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that register an asynchronous ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34773 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on Windows, app.setAsDefaultProtocolClient... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-34776 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on macOS and Linux, apps that call app.req... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34777 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointe... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3571 The Pie Register β User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pie_main() functio... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14938 The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all versions up to, and including, 2.0.27 via the "listeo_core_handle_dropped_media" function. This is d... | 5.3 | MEDIUM | β | 0 |
| CVE-2016-20056 Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious exec... | 7.8 | HIGH | β | 0 |
| CVE-2016-20058 Netgate AMITI Antivirus build 23.0.305 contains an unquoted service path vulnerability in the AmitiAvSrv and AmitiAntivirusHealth services that allows local attackers to escalate privileges. Attackers... | 7.8 | HIGH | β | 0 |
| CVE-2016-20059 IObit Malware Fighter 4.3.1 contains an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services that allows local attackers to escalate privileges. Attackers can insert a mali... | 7.8 | HIGH | β | 0 |
| CVE-2016-20060 Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Attackers can pl... | 7.8 | HIGH | β | 0 |
| CVE-2018-25240 Watchr 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Attackers can paste... | 6.2 | MEDIUM | β | 0 |
| CVE-2018-25241 VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers... | 7.5 | HIGH | β | 0 |
| CVE-2018-25250 MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. ... | 7.2 | HIGH | β | 0 |
| CVE-2018-25252 FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can crea... | 6.2 | MEDIUM | β | 0 |
| CVE-2018-25253 Termite 3.4 contains a buffer overflow vulnerability in the User interface language settings field that allows local attackers to cause a denial of service by supplying an excessively long string. Att... | 6.2 | MEDIUM | β | 0 |
| CVE-2026-5526 A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results... | 7.3 | HIGH | β | 0 |
| CVE-2026-5527 A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Pri... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-5528 A security vulnerability has been detected in MoussaabBadla code-screenshot-mcp up to 0.1.0. This affects an unknown part of the component HTTP Interface. Such manipulation leads to os command injecti... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5529 A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipula... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-5535 A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the a... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.