Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-70841 Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed... | 10.0 | CRITICAL | — | 0 |
| CVE-2025-70849 Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without... | 6.1 | MEDIUM | — | 0 |
| CVE-2025-71179 Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bund... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-22220 A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device’s web service to become unresponsive, resulting... | 4.5 | MEDIUM | — | 0 |
| CVE-2026-22228 An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Re... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-24664 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identif... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-20982 Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege. | 6.0 | MEDIUM | — | 0 |
| CVE-2026-24665 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 8.7 | HIGH | — | 0 |
| CVE-2026-24666 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24667 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existi... | 5.0 | MEDIUM | — | 0 |
| CVE-2026-24668 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add conte... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24669 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid pas... | 7.8 | HIGH | — | 0 |
| CVE-2026-24670 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create ne... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-24671 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-priv... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24672 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 7.3 | HIGH | — | 0 |
| CVE-2026-24673 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files w... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-24674 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to ... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-24773 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated ... | 7.5 | HIGH | — | 0 |
| CVE-2026-24774 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark ... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-52623 HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of se... | 3.7 | LOW | — | 0 |
| CVE-2025-52628 HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site re... | 4.6 | MEDIUM | — | 0 |
| CVE-2025-52631 HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle... | 3.7 | LOW | — | 0 |
| CVE-2025-52633 HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized acce... | 3.1 | LOW | — | 0 |
| CVE-2026-0620 When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing... | N/A | NONE | — | 0 |
| CVE-2026-1802 A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType... | 7.3 | HIGH | — | 0 |
| CVE-2026-24426 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses with... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-24427 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, ar... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25233 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps.... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-25234 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category m... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25235 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verif... | 7.5 | HIGH | — | 0 |
| CVE-2026-25236 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25237 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25239 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker ca... | 7.5 | HIGH | — | 0 |
| CVE-2026-25240 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an arra... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25241 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to e... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25482 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25483 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message.... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25488 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25484 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displa... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25485 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25486 Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25487 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2020-37065 StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a m... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25489 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25490 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-25502 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in ic... | 7.8 | HIGH | — | 0 |
| CVE-2026-25503 iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ... | 7.1 | HIGH | — | 0 |
| CVE-2020-37066 GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially craft... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25522 Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious ... | 4.8 | MEDIUM | — | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.