Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-5043 A weakness has been identified in Belkin F9K1122 1.00.33. The impacted element is the function formSetPassword of the file /goform/formSetPassword of the component Parameter Handler. This manipulation... | 8.8 | HIGH | β | 0 |
| CVE-2026-33575 OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes ... | 7.5 | HIGH | β | 0 |
| CVE-2026-5044 A security vulnerability has been detected in Belkin F9K1122 1.00.33. This affects the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. Such m... | 8.8 | HIGH | β | 0 |
| CVE-2026-5101 A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of t... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5102 A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handle... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-15036 A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present ... | N/A | NONE | β | 0 |
| CVE-2026-5103 A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes c... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5104 A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip lea... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-5105 A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performi... | 6.3 | MEDIUM | β | 0 |
| CVE-2025-7741 Hardcoded Password Vulnerability have been found in CENTUM.Β Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the ... | N/A | NONE | β | 0 |
| CVE-2026-2370 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed... | 8.1 | HIGH | β | 0 |
| CVE-2025-3716 User enumeration in ESET Protect (on-prem) viaΒ Response Timing. | N/A | NONE | β | 0 |
| CVE-2026-39839 Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo E... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-39840 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This iss... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-5301 Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries | 7.6 | HIGH | β | 0 |
| CVE-2026-5302 CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites | 6.3 | MEDIUM | β | 0 |
| CVE-2026-39393 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies... | 8.1 | HIGH | β | 0 |
| CVE-2026-39394 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads t... | 8.1 | HIGH | β | 0 |
| CVE-2026-2275 The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling. | 9.6 | CRITICAL | β | 0 |
| CVE-2026-2285 CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server. | 7.5 | HIGH | β | 0 |
| CVE-2026-2286 CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-2287 CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23973 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo golo allows Reflected XSS.This issue affects Golo: from n/a through < 1.7.5. | 7.1 | HIGH | β | 0 |
| CVE-2026-24359 Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4. | 8.8 | HIGH | β | 0 |
| CVE-2026-24369 Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0. | 7.1 | HIGH | β | 0 |
| CVE-2026-24372 Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce... | 7.5 | HIGH | β | 0 |
| CVE-2026-30556 A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The applicatio... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-24373 Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: f... | 8.1 | HIGH | β | 0 |
| CVE-2026-24378 Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24970 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2... | 7.7 | HIGH | β | 0 |
| CVE-2026-24971 Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through <= 2.8. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24975 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Organici Library noo-organici-library allows Reflected XSS.This issue affects Organici Li... | 7.1 | HIGH | β | 0 |
| CVE-2026-24976 Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2. | 8.8 | HIGH | β | 0 |
| CVE-2026-20041 A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected d... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4927 Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This i... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24977 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Organici Library noo-organici-library allows Blind SQL Injection.This issue affects Organ... | 8.5 | HIGH | β | 0 |
| CVE-2025-36373 IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway coul... | 4.1 | MEDIUM | β | 0 |
| CVE-2026-32867 OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-28871 A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website m... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-26831 textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to chil... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25035 Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Con... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25346 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Exploiting Incorrectly Configured Access Control Se... | 7.1 | HIGH | β | 0 |
| CVE-2026-25373 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a... | 7.1 | HIGH | β | 0 |
| CVE-2026-25435 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issu... | 7.1 | HIGH | β | 0 |
| CVE-2026-25437 Missing Authorization vulnerability in Ψ³ΫΨ― Ω ΨΩ Ψ―Ψ§Ω ΫΩ ΩΨ§Ψ΄Ω Ϋ GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14. | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25457 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | β | 0 |
| CVE-2026-25458 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affect... | 8.1 | HIGH | β | 0 |
| CVE-2026-32539 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects Publ... | 9.3 | CRITICAL | β | 0 |
| CVE-2026-27664 A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds... | 7.5 | HIGH | β | 0 |
| CVE-2026-4860 A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisT... | 7.3 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.