Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-4871 The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and inclu... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4330 The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to t... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4483 An exposed IOCTL with anΒ insufficient access control vulnerability has been identified in the utility, MxGeneralIo, for Moxaβs industrial x86 computers.Β The affected utility, MxGeneralIo, exposes IOC... | N/A | NONE | β | 0 |
| CVE-2026-39666 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in telepathy Hello Bar Popup Builder hellobar allows DOM-Based XSS.This issue affects Hello Bar Popup... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39667 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a thr... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-39680 Missing Authorization vulnerability in MWP Development Diet Calorie Calculator diet-calorie-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Diet C... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39679 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Free... | 7.5 | HIGH | β | 0 |
| CVE-2026-39700 Missing Authorization vulnerability in WPXPO WowOptin optin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowOptin: from n/a through <= 1.4.32. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39693 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.T... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-39695 Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-39697 Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.Thi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39699 Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Wor... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39705 Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Mult... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39707 Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.Th... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39709 Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39711 Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-39713 Missing Authorization vulnerability in mailercloud Mailercloud – Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorre... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-69627 Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated an... | 8.4 | HIGH | β | 0 |
| CVE-2026-34457 OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-35032 Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not vali... | 8.1 | HIGH | β | 0 |
| CVE-2026-39963 Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as ... | 6.9 | MEDIUM | β | 0 |
| CVE-2026-39971 Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMT... | 7.2 | HIGH | β | 0 |
| CVE-2026-40104 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerab... | 8.2 | HIGH | β | 0 |
| CVE-2026-40105 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.1... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-25058 Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/t... | 7.5 | HIGH | β | 0 |
| CVE-2026-25883 Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that... | 5.8 | MEDIUM | β | 0 |
| CVE-2026-26944 Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for ... | 8.8 | HIGH | β | 0 |
| CVE-2026-41245 Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlle... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-6066 ConnectWise has released a security update for ConnectWise Automateβ’ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur wit... | 7.1 | HIGH | β | 0 |
| CVE-2026-30266 Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file | 7.8 | HIGH | β | 0 |
| CVE-2025-1241 Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV whichΒ allows admin users to brute-force decryption of data. | 5.8 | MEDIUM | β | 0 |
| CVE-2026-0972 HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-35230 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileg... | 7.5 | HIGH | β | 0 |
| CVE-2026-35246 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileg... | 7.5 | HIGH | β | 0 |
| CVE-2026-35247 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged... | 6.0 | MEDIUM | β | 0 |
| CVE-2026-35248 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileg... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-35249 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged... | 3.2 | LOW | β | 0 |
| CVE-2026-35250 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged... | 2.3 | LOW | β | 0 |
| CVE-2026-35251 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileg... | 7.5 | HIGH | β | 0 |
| CVE-2026-41171 Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection... | N/A | NONE | β | 0 |
| CVE-2026-1726 IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1 | 4.8 | MEDIUM | β | 0 |
| CVE-2026-6874 A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host c... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6878 A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate ... | 5.6 | MEDIUM | β | 0 |
| CVE-2026-2951 The Gutentor β Gutenberg Blocks β Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input ... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3844 The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3361 The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5464 The ExactMetrics β Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to... | 7.2 | HIGH | β | 0 |
| CVE-2025-62104 Missing Authorization vulnerability in Navneil Naicker ACF Galerie 4 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ACF Galerie 4: from n/a through 1.4.2. | 4.3 | MEDIUM | β | 0 |
| CVE-2025-62110 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rescue Themes Rescue Shortcodes allows Stored XSS.This issue affects Rescue Shortcodes: from n/a t... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-28040 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Boo... | 6.5 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.